mihari

Mihari is a framework for continuous OSINT based threat hunting.

How it works

• Mihari makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs or hashes).
• Mihari checks whether a DB (SQLite3, PostgreSQL or MySQL) contains the artifacts or not.
  • If it doesn't contain the artifacts:
  • Mihari creates an alert on TheHive.
  • Mihari sends a notification to Slack.
  • Mihari creates an event on MISP.

Also, you can check the alerts on a built-in web app.

Supported services

Mihari supports the following services by default.

• BinaryEdge
• Censys
• CIRCL passive DNS / passive SSL
• crt.sh
• DN Pedia
• dnstwister
• Onyphe
• OTX
• PassiveTotal
• Pulsedive
• SecurityTrails
• Shodan
• Spyse
• urlscan.io
• VirusTotal
• ZoomEye

See Usage for more information.

Docs

• Requirements & Installation
• Usage
• Built-in Web App
• Configuration
• Custom Script
• Docker
• GitHub Actions

License

The gem is available as open source under the terms of the MIT License.