The DoveHawk Project provides threat hunting automation capabilities using Zeek Network Security Monitor, MISP Malware Information Sharing Platform, and your own threat intelligence.
The DoveHawk Module handles downloading and importing MISP indicators into Zeek (Bro) every 4 hours and reports back MISP sightings for any hits. Hunt malware and adversaries on your network with your own threat intelligence leveraging the community power of MISP.
Support for a transparent cluster to download indicators from MISP in the cluster manager which will automatically distribute them to all workers.
Capture pDNS data with Zeek to a central database to run historical checks for malware domains and also to quality check new indicators against normal activity. This module aggregates dns queries from all hosts over a 16 minute period to anonymize activity.
Capture partial netflow data with Zeek to a central database to run historical checks for malware activity and also to quality check new indicators against normal activity. This module sums outbound flow from all hosts over a 10 minute period to anonymize activity. All sessions from all hosts and combined into a single count of outgoing traffic bytes per IP. Inbound traffic is not counted.
Serverless Python Lambda Function to use as a API Gateway to import passive DNS and anonymized netflow into an RDS database.