Skip to content
Main Build directory
Python Shell
Branch: master
Clone or download
infosec-alchemist Develop (#61)
* creating branch

* added the right version of cerbero.  This Fixes #33 (#40)

* fixed #42

* Fixed #44

* Needed to make the type always 'doc' to support changes in type mapping

* Swarm (#49)

* changed IP to elasticsearch rather than the hardcoded IP

* Swarmify the compose file

* testing

* add some basic information

* added 3 more analytics

* Fixed problem with created_by being of the wrong value

* fixed problem with the created values

* Fixed script so that PID was an integer.  Created a loop.  randomized the date

* Improvements everywhere

* removed the 900 minute log evaluation

* merging
Latest commit 79719b1 Apr 13, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
analytic-system Develop (#61) Apr 13, 2018
config removed cti-stix-store requiment on build. code contains the function… Jan 2, 2018
elasticsearch Develop (#37) Jan 8, 2018
logstash Develop (#59) Apr 13, 2018
.gitignore Initial checkin of Unfetter-Analytic Feb 27, 2017 Initial checkin of Unfetter-Analytic Feb 27, 2017 Develop (#41) Jan 10, 2018
docker-compose.yml Develop (#59) Apr 13, 2018


Welcome to the Unfetter project, a reference implementation inspired by The MITRE Corporation's Cyber Analytics Repository (CAR) and Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) projects.

This reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine (Windows 7) and performing CAR analytics to detect potential adversary activity.

The goal of this effort is to enable analytic developers, malware analysts, or infrastructure owners to experiment with existing adversary detection analytics or create additional analytics. Efforts have been made to simplify the installation and setup of this reference implementation. While scalable components have been used, this is meant to be a development system. A production architecture would need to be further developed to run in a large scale environment.

Please see our webpage for more details:

System Requirements

Project Setup

Unfetter Analytic uses three different systems to really work. First, is the analytic system, based on an ELK stack with Apache Spark on top. The second, is the Unfetter Discover Web service. The third system is any Windows machine that can generate Sysmon and Windows Events and ship to the Unfetter Analytic system.

Details for setting up this project are at

To quickly get the Unfetter Analytic and Unfetter Discover systems running, follow these steps.

Create a directory to hold all the projects,

mkdir unfetter-analytic
cd unfetter-analytic

Next, you will need to clone two repos in unfetter-analytic.

 git clone
 git clone

Next, change directories into the unfetter directory, which houses the docker-compose.yml files, and run docker-compose

cd unfetter
docker-compose up


After running the docker-compose command, you can view the Kibana application at: http://localhost:5601/

You can’t perform that action at this time.