Mihari is a framework for continuous OSINT based threat hunting.
How it works
- Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs or hashes).
- Mihari checks whether a DB (SQLite3, PostgreSQL or MySQL) contains the artifacts or not.
- If it doesn't contain the artifacts:
- Mihari creates an alert on TheHive.
- Mihari sends a notification to Slack.
- Mihari creates an event on MISP.
- If it doesn't contain the artifacts:
Also, you can check the alerts on a built-in web app.
Supported services
Mihari supports the following services by default.
- BinaryEdge
- Censys
- CIRCL passive DNS / passive SSL
- crt.sh
- DN Pedia
- dnstwister
- Onyphe
- OTX
- PassiveTotal
- Pulsedive
- SecurityTrails
- Shodan
- Spyse
- urlscan.io
- VirusTotal
- ZoomEye
See Usage for more information.
Docs
- Requirements & Installation
- Usage
- Built-in Web App
- Configuration
- Custom Script
- Docker
- GitHub Actions
License
The gem is available as open source under the terms of the MIT License.