Share
## https://sploitus.com/exploit?id=C33A0947-5FAE-5E3D-B31E-428A5B024A4A
# watchpost

Local threat intelligence database. Aggregates data from MISP feeds, vendor security blogs, open threat actor catalogs, dark web intel, and exploited CVEs into a local MongoDB instance. Everything runs locally โ€” no cloud services, no API keys, no accounts needed.

## What it does

- **MISP feeds** โ€” syncs events from 5 free MISP-native feeds (abuse.ch, CIRCL, Botvrij.eu)
- **Threat reports** โ€” fetches RSS from 12 vendor blogs (Mandiant, CrowdStrike, Talos, etc.), extracts structured threat intel via a local LLM (Ollama)
- **Threat actors** โ€” merges actor data from 5 open sources (MISP Galaxy, MITRE ATT&CK, Malpedia, ThaiCERT, GapMATRIX) using union-find on overlapping aliases
- **Dark web intel** โ€” parses deepdarkCTI for ransomware gangs, forums, markets, Telegram/Twitter actors
- **Exploited CVEs** โ€” tracks commonly exploited vulnerabilities with PoC links and actor cross-references

All data lands in MongoDB with full-text indexes for fast querying.

## Quick start

```bash
git clone https://github.com/JonasColmsjo/watchpost.git
cd watchpost
just setup          # install MongoDB, Python, tools (no root needed)
just db start       # start local MongoDB
just sync           # pull everything (skip threat reports if no Ollama)
just status         # dashboard
```

## Requirements

- Linux (Debian 12 / Kali tested, other distros should work)
- [just](https://github.com/casey/just) command runner (installed by `just setup`)
- ~2 GB disk for the database
- **Optional**: [Ollama](https://ollama.ai) with a ~8B parameter model for threat report extraction

## Commands

```
just setup                    Install all prerequisites via Ansible
just status                   Dashboard: processes, DB stats, sync progress
just sync                     Sync all data sources

just db start                 Start local MongoDB
just db stop                  Stop MongoDB
just db status                Show all databases with sizes
just db shell misp            Open mongosh on misp database
just db export                Full database dump (gzip compressed)
just db restore          Restore from a previous export

just misp sync                Sync MISP feed events
just misp status              Per-feed stats: event counts, date range
just misp recent 7d           Events published in the last 7 days
just misp query "APT28"       Search events by keyword

just reports sync             Fetch vendor blog RSS, extract intel via LLM
just reports status           Report collection stats + top actors
just reports search "APT28"   Search by actor, TTP, malware, CVE
just reports list             List 20 most recent reports

just actors sync              Download & merge actor catalogs
just actors search "APT28"    Search by name, alias, country, MITRE ID
just actors show "APT28"      Full detail view for one actor
just actors profile SE        Full threat profile for a region

just darkweb sync             Clone deepdarkCTI, parse all, update DB
just darkweb gangs --online   List online ransomware gangs
just darkweb forums --online  List online forums/markets

just cves status              Exploited CVE stats
just cves show CVE-2024-21762 Full CVE detail with cross-refs
```

## Threat report extraction

The `just reports sync` command fetches articles from vendor security blogs and uses a local LLM (via Ollama) to extract structured threat intelligence: actors, TTPs, targeted industries/regions, malware, tools, and CVEs.

By default, Ollama is expected to be running locally on port 11434. If Ollama runs on a remote host accessible via SSH:

```bash
export OLLAMA_SSH_HOST=myserver   # SSH hostname where Ollama runs
just reports sync
```

## Data sources

| Source                | Type            | What you get                                    |
|-----------------------|-----------------|-------------------------------------------------|
| abuse.ch (3 feeds)    | MISP events     | Malware IOCs, distribution URLs, sample hashes  |
| CIRCL OSINT           | MISP events     | Curated APT/campaign analysis                   |
| Botvrij.eu            | MISP events     | European threat intel                           |
| 12 vendor blogs       | RSS + LLM       | Structured threat reports with actor attribution |
| MISP Galaxy           | Actor catalog   | 940+ actors with aliases, motivation, targets   |
| MITRE ATT&CK          | Actor catalog   | 170+ actors with techniques, software           |
| Malpedia              | Actor catalog   | 940+ actors with country attribution            |
| ThaiCERT ETDA         | Actor catalog   | 500+ actors, independent attribution            |
| GapMATRIX             | Actor catalog   | 470+ actors with techniques, CVEs               |
| deepdarkCTI           | Dark web intel  | Ransomware gangs, forums, markets, Telegram     |

## License

MIT