IntelStack is an advanced threat intelligence and security analysis platform by GuardianVigil that empowers security teams with comprehensive threat detection, analysis, and response capabilities.
Features β’ Installation β’ Usage β’ Docker β’ Troubleshooting β’ Contact
IntelStack is a powerful security operations platform that integrates multiple threat intelligence sources and analysis tools into a unified interface. The platform provides security analysts with comprehensive capabilities for threat detection, investigation, and response.
- Multi-source IP reputation checking
- Geolocation data with visual mapping
- Historical threat intelligence data
- Network infrastructure insights
- Comprehensive threat scoring
- Integration with VirusTotal, AbuseIPDB, and other threat intelligence platforms
- Domain reputation scoring across multiple platforms
- WHOIS information retrieval
- SSL certificate analysis
- Associated infrastructure mapping
- DNS record analysis and history
- Integration with VirusTotal, AlienVault, Pulsedive, and SecurityTrails
- URL safety verification
- Phishing detection
- Malicious content identification
- Screenshot capture and analysis
- Redirect chain analysis
- Integration with VirusTotal, URLScan.io, and Hybrid Analysis
- File hash reputation checking
- Malware family identification
- Detection ratio across antivirus engines
- File metadata extraction
- YARA rule matching
- Support for MD5, SHA-1, and SHA-256 hash formats
- Email header analysis
- Attachment scanning
- Sender reputation checking
- Phishing indicators detection
- SPF, DKIM, and DMARC validation
- Support for .eml and .msg file formats
- Secure file detonation environment
- Behavioral analysis of suspicious files
- Network traffic monitoring
- Registry and file system changes tracking
- MITRE ATT&CK mapping of observed behaviors
- Support for multiple file types (executables, documents, scripts, archives)
- Comprehensive tactics and techniques reference
- Threat actor group profiles
- Technique relationships and dependencies
- Mitigation recommendations
- Interactive ATT&CK matrix
- Support for Enterprise, Mobile, and ICS frameworks
- IOC search across your environment
- Custom query builders
- Saved hunt templates
- Scheduled hunts with alerting
- Historical hunt results
- Threat intelligence feed aggregation
- Indicator management and enrichment
- Custom intelligence source integration
- Automated indicator scoring
- Intelligence sharing capabilities
- Customizable analysis workflows
- Automated enrichment of indicators
- Playbook-based response actions
- Integration with ticketing systems
- Alert triage automation
- Support for major threat intelligence platforms
- SIEM integration capabilities
- Endpoint security tool connections
- Custom API integrations
- Webhook support for notifications
- Python 3.8+
- Redis Server 6.0+
- Modern web browser (Chrome, Firefox, Edge recommended)
-
Clone the repository:
git clone https://github.com/GuardianVigil/IntelStack.git cd IntelStack -
Run the setup script:
python setup.py
This will:
- Create a virtual environment
- Install all required dependencies
- Set up the database
- Create a superuser account
-
Start the application:
python run.py
-
Access the application at http://localhost:8000
The following environment variables can be configured:
DEBUG=True
SECRET_KEY=your-secret-key
ALLOWED_HOSTS=localhost,127.0.0.1
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_DB=0
IntelStack can be easily deployed using Docker: https://hub.docker.com/r/guardianvigil/intelstack
-
Make sure Docker and Docker Compose are installed on your system
-
Build and start the containers:
docker-compose up -d
-
Access the application at http://localhost:8000
The Docker setup includes:
- Alpine Linux as base image
- Python 3, Redis, and Supervisor in a single container
- Proper volume mapping for database and storage
- Environment variables for customization
- Supervisor for process management
- Log in with your credentials at http://localhost:8000
- Navigate to the desired analysis module from the sidebar
- Submit indicators (IP, domain, URL, hash, email, or file) for analysis
- Review the comprehensive results from multiple intelligence sources
- Export or share findings as needed
- Navigate to Threat > IP Analysis
- Enter an IP address (e.g., 8.8.8.8)
- Review the comprehensive threat intelligence from multiple sources
- Examine geolocation data, reputation scores, and associated infrastructure
- Navigate to Threat > Domain Reputation
- Enter a domain name (e.g., example.com)
- Review WHOIS information, SSL certificates, and reputation data
- Examine associated DNS records and infrastructure
- Navigate to Threat > URL Scan
- Enter a URL to analyze
- Review safety ratings, screenshots, and content analysis
- Examine redirect chains and associated infrastructure
- Navigate to Threat > Hash Analysis
- Enter an MD5, SHA-1, or SHA-256 hash
- Review detection ratios across antivirus engines
- Examine file metadata and malware family information
- Navigate to Threat > Email Investigation
- Upload an .eml/.msg file or paste email headers
- Review sender reputation and authentication results
- Examine attachments and links for malicious content
- Navigate to Threat > Sandbox
- Upload a suspicious file for analysis
- Review behavioral analysis results
- Examine network connections, file system changes, and registry modifications
If you encounter Redis connection errors:
-
Ensure Redis is running:
# Linux sudo systemctl status redis # Windows sc query redis
-
Verify Redis connection settings in your environment variables
If you encounter database errors:
-
Reset migrations:
python manage.py migrate --fake-initial
-
Apply migrations again:
python manage.py migrate
For full functionality, configure API keys for external services:
- Navigate to Settings > API Configuration
- Enter your API keys for the services you use
- Test the connection to ensure proper configuration
- Email: intelstack@guardianvigil.io
- Website: https://guardianvigil.io/
This project is licensed under the MIT License - see the LICENSE file for details.