IntelStack is an advanced threat intelligence and security analysis platform by GuardianVigil that empowers security teams with comprehensive threat detection, analysis, and response capabilities.
Features • Installation • Usage • Docker • Troubleshooting • Contact
IntelStack is a powerful security operations platform that integrates multiple threat intelligence sources and analysis tools into a unified interface. The platform provides security analysts with comprehensive capabilities for threat detection, investigation, and response.
- Multi-source IP reputation checking
- Geolocation data with visual mapping
- Historical threat intelligence data
- Network infrastructure insights
- Comprehensive threat scoring
- Integration with VirusTotal, AbuseIPDB, and other threat intelligence platforms
- Domain reputation scoring across multiple platforms
- WHOIS information retrieval
- SSL certificate analysis
- Associated infrastructure mapping
- DNS record analysis and history
- Integration with VirusTotal, AlienVault, Pulsedive, and SecurityTrails
- URL safety verification
- Phishing detection
- Malicious content identification
- Screenshot capture and analysis
- Redirect chain analysis
- Integration with VirusTotal, URLScan.io, and Hybrid Analysis
- File hash reputation checking
- Malware family identification
- Detection ratio across antivirus engines
- File metadata extraction
- YARA rule matching
- Support for MD5, SHA-1, and SHA-256 hash formats
- Email header analysis
- Attachment scanning
- Sender reputation checking
- Phishing indicators detection
- SPF, DKIM, and DMARC validation
- Support for .eml and .msg file formats
- Secure file detonation environment
- Behavioral analysis of suspicious files
- Network traffic monitoring
- Registry and file system changes tracking
- MITRE ATT&CK mapping of observed behaviors
- Support for multiple file types (executables, documents, scripts, archives)
- Comprehensive tactics and techniques reference
- Threat actor group profiles
- Technique relationships and dependencies
- Mitigation recommendations
- Interactive ATT&CK matrix
- Support for Enterprise, Mobile, and ICS frameworks
- IOC search across your environment
- Custom query builders
- Saved hunt templates
- Scheduled hunts with alerting
- Historical hunt results
- Threat intelligence feed aggregation
- Indicator management and enrichment
- Custom intelligence source integration
- Automated indicator scoring
- Intelligence sharing capabilities
- Customizable analysis workflows
- Automated enrichment of indicators
- Playbook-based response actions
- Integration with ticketing systems
- Alert triage automation
- Support for major threat intelligence platforms
- SIEM integration capabilities
- Endpoint security tool connections
- Custom API integrations
- Webhook support for notifications
- Python 3.8+
- Redis Server 6.0+
- Modern web browser (Chrome, Firefox, Edge recommended)
-
Clone the repository:
git clone https://github.com/GuardianVigil/IntelStack.git cd IntelStack -
Run the setup script:
python setup.py
This will:
- Create a virtual environment
- Install all required dependencies
- Set up the database
- Create a superuser account
-
Start the application:
python run.py
-
Access the application at http://localhost:8000
The following environment variables can be configured:
DEBUG=True
SECRET_KEY=your-secret-key
ALLOWED_HOSTS=localhost,127.0.0.1
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_DB=0
IntelStack can be easily deployed using Docker: https://hub.docker.com/r/guardianvigil/intelstack
-
Make sure Docker and Docker Compose are installed on your system
-
Build and start the containers:
docker-compose up -d
-
Access the application at http://localhost:8000
The Docker setup includes:
- Alpine Linux as base image
- Python 3, Redis, and Supervisor in a single container
- Proper volume mapping for database and storage
- Environment variables for customization
- Supervisor for process management
- Log in with your credentials at http://localhost:8000
- Navigate to the desired analysis module from the sidebar
- Submit indicators (IP, domain, URL, hash, email, or file) for analysis
- Review the comprehensive results from multiple intelligence sources
- Export or share findings as needed
- Navigate to Threat > IP Analysis
- Enter an IP address (e.g., 8.8.8.8)
- Review the comprehensive threat intelligence from multiple sources
- Examine geolocation data, reputation scores, and associated infrastructure
- Navigate to Threat > Domain Reputation
- Enter a domain name (e.g., example.com)
- Review WHOIS information, SSL certificates, and reputation data
- Examine associated DNS records and infrastructure
- Navigate to Threat > URL Scan
- Enter a URL to analyze
- Review safety ratings, screenshots, and content analysis
- Examine redirect chains and associated infrastructure
- Navigate to Threat > Hash Analysis
- Enter an MD5, SHA-1, or SHA-256 hash
- Review detection ratios across antivirus engines
- Examine file metadata and malware family information
- Navigate to Threat > Email Investigation
- Upload an .eml/.msg file or paste email headers
- Review sender reputation and authentication results
- Examine attachments and links for malicious content
- Navigate to Threat > Sandbox
- Upload a suspicious file for analysis
- Review behavioral analysis results
- Examine network connections, file system changes, and registry modifications
If you encounter Redis connection errors:
-
Ensure Redis is running:
# Linux sudo systemctl status redis # Windows sc query redis
-
Verify Redis connection settings in your environment variables
If you encounter database errors:
-
Reset migrations:
python manage.py migrate --fake-initial
-
Apply migrations again:
python manage.py migrate
For full functionality, configure API keys for external services:
- Navigate to Settings > API Configuration
- Enter your API keys for the services you use
- Test the connection to ensure proper configuration
- Email: [email protected]
- Website: https://guardianvigil.io/
This project is licensed under the MIT License - see the LICENSE file for details.