ThePhish : Open Source Automated Analysis & Detection Platform Demo Video
CORRECTION: After I did the Video, no retries, caught a slight error. TheHive and Cortex MISP entries in some files were not "LOCALHOST" they were the hostname of the docker container only reached within the Docker Network. "THEHIVE" and "CORTEX" & MISP respectively. You get the point though. :)
I had a little fun creating a short demo video of "ThePhish", an Open Source brilliant project that utilizes TheHive, Cortex, and MISP along with some brilliant Python code to make it magical! All packages are in a nice and convienient docker container stack.
Now, I did have to do some coding changes/hacks, as it natively really only works out of the box on the same box/pc as "LOCALHOST". You cannot get it to reach the separate docker containers for TheHive, Cortex and MISP properly, and have to modify a number of files. I even had to modify the index.html, which is the official start page of the ThePhish. I go over some of this quick in the demo.
We use this as a second source of truth, and fully automated way to help other techs and even more experienced users have a quick, simple and automated way to analyze either a quarantined phishing email. Where lets say the user swears its legit, and you just want to quickly extract, and then scan a ton of embedded Observables in the .EML file, against many a 3rd party platforms via the cortex connectors.
Not everybody wants to dig in to the details. This is a great simple way. The user saves a .EML file from their Email Security Platform, or directly from outlook or other email client. Attach it to an email, send it to your dedicated GMAIL address in this case. ThePhish is configured to use GMAIL's app password feature, and checks the newest email submissions and strips the .EML attachment and starts analyzing it.
When the analysis starts, it emails a notification it has started. Then you can watch it live in the main page feed, or head over to TheHive to see really detailed results as it comes in.
When its done, it emails a final verdict and emails a response back. "Safe", "Suspicious" or "Malicious / True Positive".
Enjoy the video, and let me know what you think!