Building watchlists in threat_note

[advancedeng]

Hi again,

Do you think that threat_note is the right tool for building and maintaining watchlists (domain names, hostnames, registration email addresses, IP addresses). If yes then there are some use cases:

• monitor hostnames for changes in resolved IP addresses
• monitor domains for changes in whois records
• monitor domains for new related hostnames/subdomains discovered (via Mnemonic Suffix pDNS queries)
• monitor IP address via reverse DNS lookup
• monitor email addresses for registering new domains (integration with DomainTools??)
• etc..

Cheers, Andreas

[swannysec]

I think this is interesting. Right now, everything is "manual pull," when you open an indicator page. If threat_note moves to pulling new info on those indicators in an automated fashion, on a schedule for example, this idea has a ton of merit!

[brianwarehime]

Interesting idea for sure. I could definitely build in some monitoring capability. Maybe something like creating a new field for stuff like 'last_resolved' and store the last domain or IP the indicator resolved to, and if the new result is different, then alert the user. Definitely something to do in the future.

[brianwarehime]

As swannysec said, this would be per user basis, so it would only use the data in your database to go off of. Not sure how well a long term cache of indicator would work. Until I move this to a web version for all users instead of locally.