Watcher Open Source Cybersecurity Threat Hunting Platform
Watcher Open Source Cybersecurity Threat Hunting Platform

Watcher: Open Source Cybersecurity Threat Hunting Platform

Watcher is a Django & React JS automated platform for discovering new potentially cybersecurity threats targeting your organisation.

It should be used on webservers and available on Docker.

Watcher capabilities

  • Detecting emerging cybersecurity trends like new vulnerabilities, malwares… Via social networks & other RSS feeds (www.cert.ssi.gouv.fr, www.cert.europa.eu, www.us-cert.gov, www.cyber.gov.au…).
  • Monitor for information leaks, for example in Pastebin & other IT content exchange websites (stackoverflow, github, gitlab, bitbucket, apkmirror, npm…).
  • Monitor malicious domain names for changes (IPs, mail/MX records, web pages using TLSH).
  • Detecting suspicious domain names targeting your organisation, using dnstwist.

Useful as a bundle regrouping threat hunting/intelligence automated features.

Additional features

  • Create cases on TheHive and events on MISP.
  • Integrated IOCs export to TheHive and MISP.
  • LDAP & Local Authentication.
  • Email notifications.
  • Ticketing system feeding.
  • Admin interface.
  • Advance users permissions & groups.

Involved dependencies

Screenshots

Watcher provides a powerful user interface for data visualization and analysis. This interface can also be used to manage Watcher usage and to monitor its status.

Threats detection

Watcher threats detection
Watcher threats detection

Data leaks

Watcher keywords detection
Watcher keywords detection

Malicious domain names monitoring

Watcher Malicious domain names monitoring
Watcher Malicious domain names monitoring

IOCs export to TheHive & MISP

Watcher IOCs export
Watcher IOCs export

Suspicious domain names detection

Watcher Suspicious domain names detection
Watcher Suspicious domain names detection

Django provides a ready-to-use user interface for administrative activities. We all know how an admin interface is important for a web project: Users management, user group management, Watcher configuration, usage logs…

Admin interface

Admin interface by Watcher
Admin interface by Watcher

Installation

Create a new Watcher instance in ten minutes using Docker.

Prerequisites

Launch watcher

  • Grab the docker-compose.yml.env files and SearxRss-bridge directories (Keep directory structure).
  • According to your existent infrastructure you may configure Watcher settings using the .env file (Static configuration).
  • docker-compose up

This should run Docker containers.

Please wait until you see:

watcher          | db_watcher is up, starting Watcher.
watcher          | Performing system checks...
watcher          | 
watcher          | System check identified no issues (0 silenced).
watcher          | October 08, 2020 - 10:28:02
watcher          | Django version 3.1.1, using settings 'watcher.settings'
watcher          | Starting development server at http://0.0.0.0:9002/
watcher          | Quit the server with CONTROL-C.
  • Try Access Watcher on http://0.0.0.0:9002 or http://yourserverip:9002.
  • CONTROL-C
  • docker-compose down to stop all containers.

See Installation Guide.

Platform architecture

Watcher Platform architecture
Watcher Platform architecture

Get involved

There are many ways to getting involved with Watcher:

  • Report bugs by opening Issues on GitHub.
  • Request new features or suggest ideas (via Issues).
  • Make pull-requests.
  • Discuss bugs, features, ideas or issues.
  • Share Watcher to your community (Twitter, Facebook…).

Pastebin compliant

In order to use Watcher pastebin API feature, you need to subscribe to a pastebin pro account and whitelist Watcher public IP (see https://pastebin.com/doc_scraping_api).

Dark Mode

Watcher (this link opens in a new window) by thalesgroup-cert (this link opens in a new window)

Watcher – Open Source Cybersecurity Threat Hunting Platform. Developed with Django & React JS.