A comprehensive web-based platform for managing, enriching, and analyzing Indicators of Compromise (IOCs). Built for Security Operations Centers (SOCs), Computer Emergency Response Teams (CERTs), and threat intelligence teams.
- IOC Management: Create, read, update, and delete IOCs with support for multiple indicator types
- Supported IOC Types: IPv4, IPv6, Domain, URL, MD5, SHA1, SHA256, Email, and more
- Risk Classification: Severity levels (Low, Medium, High, Critical) with confidence scoring
- TLP Support: Traffic Light Protocol (WHITE, GREEN, AMBER, RED) for information sharing
- Tagging System: Organize IOCs with customizable colored tags
- IOC Expiration: Automatic TTL-based expiration with configurable policies
- Collaborative Review: Mark IOCs for review to enable collaborative editing by any user
- VirusTotal Integration: Automatic malware analysis and reputation scoring
- URLScan.io Integration: URL screenshot and analysis
- GeoIP Lookup: Geographic location data for IP addresses
- ASN Lookup: Autonomous System Number and organization information
- Caching: Intelligent caching to reduce API calls and improve performance
- IOC Relationships: Link related indicators (resolves_to, contains, communicates_with, etc.)
- Comments & Discussions: Threaded comments with @mentions and Markdown support
- YARA Rule Generation: Auto-generate YARA and YARA-X detection rules
- STIX 2.1 Export: Export IOCs in STIX format for TAXII sharing
- Audit Logging: Complete audit trail of all actions with user tracking
- Change Tracking: Track who created and last updated each IOC
- Email Reports: Automated daily and weekly reports with statistics and trends
- Dashboard: Real-time metrics and visualizations
- Search & Filter: Advanced filtering by type, severity, tags, review status, and date ranges
- Bulk Operations: Import and export IOCs (coming soon)
- Admin Panel: Centralized administration interface
- Reports Configuration: Web-based email/SMTP configuration with hot-reload
- API Key Management: Secure API key configuration (VirusTotal, URLScan.io, etc.)
- Audit Logs Viewer: Search, filter, and purge audit logs with clickable resource links
- User Management: Create, edit, and manage user accounts and permissions
- Role-Based Access Control (RBAC): Admin, User, and Viewer roles
- Multi-Factor Authentication (MFA): Optional per-user TOTP-based 2FA with QR code setup, backup codes, and rate limiting
- User Management: User registration, authentication, and session management
- Registration Control: Enable/disable public registration
- Comprehensive Audit Trail: Track all user actions, IOC changes, and system events
- Admin Audit Viewer: Advanced search and filtering of audit logs with smart resource linking
- Python 3.8+
- SQLite (default) or PostgreSQL/MySQL
- SMTP server (for email reports)
- VirusTotal API key (optional)
- URLScan.io API key (optional)
-
Clone the repository
git clone https://github.com/JMousqueton/IoCManager.git cd IoCManager -
Create virtual environment
python3 -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install dependencies
pip install -r requirements.txt
-
Configure environment
cp .env.example .env # Edit .env with your settings (API keys, SMTP, etc.) nano .env -
Initialize database
python scripts/init_db.py
-
Download GeoIP database (optional)
python scripts/download_asn_db.py
-
Start the application
python run.py
-
Access the application
- Open browser: http://localhost:5000
- Default admin credentials:
admin/admin123(change immediately!)
Configuration can be done via:
.envfile - Edit manually for initial setup- Admin Panel (recommended) - Web-based configuration with hot-reload for:
- API keys (VirusTotal, URLScan.io)
- Email/SMTP settings
- Report recipients
Key configuration options in .env:
# Flask Configuration
SECRET_KEY=your-secret-key-here
FLASK_ENV=development
FLASK_DEBUG=True
# VirusTotal API
VIRUSTOTAL_API_KEY=your-virustotal-api-key
# URLScan.io API
URLSCAN_API_KEY=your-urlscan-api-key
# Email Reports
REPORT_ENABLED=True
DAILY_REPORT_RECIPIENTS=cert-team@example.com
WEEKLY_REPORT_RECIPIENTS=cert-team@example.com,management@example.com
# SMTP Configuration
MAIL_SERVER=smtp.gmail.com
MAIL_PORT=587
MAIL_USERNAME=your-email@example.com
MAIL_PASSWORD=your-app-password
# IOC Expiration
IOC_DEFAULT_TTL_DAYS=90
IOC_AUTO_EXPIRE_ENABLED=True
# Authentication
REGISTRATION_ENABLED=False # Disable public registrationSee .env.example for all available options.
- Navigate to Add IOC from the menu
- Select IOC type (IPv4, Domain, Hash, etc.)
- Enter the IOC value
- Set severity, confidence, and TLP level
- Add description and tags
- Click Create IOC
Click the Enrich IOC button on any IOC detail page to:
- Fetch VirusTotal analysis for hashes and URLs
- Get URLScan.io screenshots for URLs
- Lookup GeoIP data for IP addresses
- Retrieve ASN information
Link related IOCs together:
- Open an IOC detail page
- Click Add Relationship in the Related IOCs section
- Search for target IOC
- Select relationship type (resolves_to, contains, etc.)
- Add optional notes
- Open any hash-based IOC
- Click Generate YARA
- Toggle between YARA and YARA-X syntax
- Copy or download the rule
Add comments to IOCs for collaboration:
- Use Markdown formatting for rich text
- @mention users to notify them
- Reply to create threaded discussions
- Edit/Delete your own comments
Enable collaborative review for quality assurance:
- Open an IOC detail page
- Toggle the "To be reviewed" switch in the metadata section
- IOC will show a review badge in the IOC list
- Any User or Admin can now edit the IOC (not just the creator)
- After review is complete, toggle the switch again to remove review status
- All review status changes are logged in the audit trail
Enhance account security with optional TOTP-based two-factor authentication:
Enabling MFA:
- Navigate to your profile page
- Click "Enable MFA" in the Multi-Factor Authentication section
- Scan the QR code with your authenticator app (Google Authenticator, Authy, Microsoft Authenticator)
- Enter the 6-digit verification code to confirm setup
- Save your 10 backup codes in a secure location (each can only be used once)
Logging in with MFA:
- Enter your username and password as usual
- You'll be redirected to an MFA verification page
- Enter the 6-digit code from your authenticator app
- Alternatively, check "Use a backup code instead" and enter one of your backup codes
Managing MFA:
- View Backup Codes: See how many backup codes you have remaining
- Regenerate Codes: Generate new backup codes if you've used most of them (requires MFA verification)
- Disable MFA: Turn off MFA protection (requires password + current MFA code)
Security Features:
- Rate limiting: Maximum 10 failed verification attempts per 15 minutes
- Session timeout: MFA verification must be completed within 5 minutes
- Backup codes: 10 one-time use codes for device loss scenarios
- Audit logging: All MFA events (enable, disable, login attempts) are logged
- Admin visibility: Admins can see which users have MFA enabled
Note: MFA is optional and configured per-user. Existing users are not affected when MFA is added to the system.
Access comprehensive administration features:
API Keys Tab:
- Configure VirusTotal API key
- Configure URLScan.io API key
- Hot-reload configuration without restart
Reports Tab:
- Configure SMTP server settings (server, port, TLS/SSL)
- Set email credentials
- Configure report recipients (daily/weekly)
- Enable/disable automated reports
- Changes apply immediately without restart
Audit Logs Tab:
- Search and filter audit logs by:
- Resource type (IOC, User, Tag, Configuration, Comment)
- Action (CREATE, UPDATE, DELETE, LOGIN, ENRICH, EXPORT, SEARCH)
- User
- Date range
- Smart filtering: Selecting "IOC" includes IOC, IOCRelationship, and Comment entries
- Click on resources to view details (opens in new tab)
- Purge logs older than 30 days
Users Tab:
- Create, edit, and delete user accounts
- Assign roles (Admin, User, Viewer)
- Activate/deactivate accounts
- View user statistics (IOCs created, audit logs)
Configure automated reports in .env:
REPORT_ENABLED=True
DAILY_REPORT_RECIPIENTS=team@example.com
WEEKLY_REPORT_RECIPIENTS=team@example.com,management@example.comSchedule with cron:
# Daily report at 8 AM
0 8 * * * cd /path/to/IoCManager && /path/to/venv/bin/python scripts/send_daily_report.py
# Weekly report at 8 AM every Monday
0 8 * * 1 cd /path/to/IoCManager && /path/to/venv/bin/python scripts/send_weekly_report.pyAutomatically expire old IOCs:
# Configure in .env
IOC_DEFAULT_TTL_DAYS=90
IOC_AUTO_EXPIRE_ENABLED=True
# Schedule expiration check
0 2 * * * cd /path/to/IoCManager && /path/to/venv/bin/python scripts/expire_iocs.pyComprehensive audit trail for compliance and forensics:
What's Logged:
- User authentication (LOGIN, LOGOUT)
- IOC operations (CREATE, UPDATE, DELETE, ENRICH, EXPORT)
- User management (CREATE, UPDATE, DELETE users)
- Configuration changes (API keys, email settings)
- Comment activity
- Review status changes
Audit Log Features:
- Smart Filtering: Filter by resource type, action, user, and date range
- Resource Linking: Click on IOCs, users, or comments to view details
- Automatic Purge: Remove logs older than 30 days to manage database size
- Export Capability: Generate compliance reports from audit data
Accessing Audit Logs (Admin only):
- Navigate to Admin β Audit Logs
- Use filters to find specific events
- Click on resources for detailed view
- Use purge button to clean old logs
Export IOCs for TAXII sharing:
- Navigate to IOC detail page
- Click Export STIX
- Download STIX 2.1 JSON bundle
| Role | Permissions |
|---|---|
| Admin | Full access: manage users, delete any content, access admin panel, configure system settings |
| User | Create, edit own IOCs and comments, edit IOCs marked for review |
| Viewer | Read-only access to IOCs and comments |
IOCs can be marked for collaborative review, allowing any User or Admin to edit them regardless of who created them. This feature enables:
- Quality Assurance: Team members can review and improve IOCs
- Collaborative Enrichment: Multiple analysts can contribute to IOC details
- Badge Visibility: IOCs marked for review show a clear badge in the IOC list
- Audit Tracking: All review status changes are logged in the audit trail
The dashboard provides:
- Total IOCs count
- Active vs. Inactive indicators
- Severity distribution
- Recently added IOCs
- Enrichment statistics
- User activity
- CSRF Protection: All forms protected with CSRF tokens
- Session Management: Secure session handling with configurable timeouts
- Password Hashing: Werkzeug password hashing (bcrypt)
- SQL Injection Prevention: SQLAlchemy ORM with parameterized queries
- XSS Prevention: Markdown sanitization with Bleach
- Multi-Factor Authentication (MFA): Optional per-user TOTP-based 2FA:
- QR code setup with standard authenticator apps (Google Authenticator, Authy, Microsoft Authenticator)
- 10 one-time backup recovery codes per user
- Rate limiting to prevent brute force attacks (10 attempts per 15 minutes)
- Encrypted secret storage using Fernet symmetric encryption
- Backup codes hashed with bcrypt (same as passwords)
- Complete audit trail of MFA events (enable, disable, login attempts)
- Admin visibility of MFA status for all users
- Comprehensive Audit Logging: Complete audit trail tracking:
- User actions (CREATE, UPDATE, DELETE, LOGIN, LOGOUT)
- IOC operations (create, edit, enrich, export, review status changes)
- User management operations
- Configuration changes
- Searchable audit log viewer with smart filtering and resource linking
IoCManager/
βββ app/
β βββ __init__.py # Flask app factory
β βββ config.py # Configuration
β βββ models/ # Database models
β β βββ ioc.py
β β βββ user.py
β β βββ comment.py
β β βββ ...
β βββ routes/ # Flask blueprints
β β βββ ioc.py
β β βββ auth.py
β β βββ comment.py
β β βββ ...
β βββ services/ # Business logic
β β βββ virustotal.py
β β βββ urlscan.py
β β βββ yara_generator.py
β β βββ report_generator.py
β βββ utils/ # Utilities
β β βββ markdown.py
β βββ templates/ # Jinja2 templates
βββ scripts/ # Management scripts
β βββ init_db.py
β βββ download_asn_db.py
β βββ send_daily_report.py
β βββ send_weekly_report.py
β βββ expire_iocs.py
βββ instance/ # Instance-specific files
βββ .env # Environment variables
βββ requirements.txt # Python dependencies
βββ run.py # Application entry point
export FLASK_ENV=development
export FLASK_DEBUG=True
python run.pycomming soon...
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- Follow PEP 8 style guide
- Write docstrings for functions and classes
- Add tests for new features
- Update documentation as needed
Issue: Email reports not sending
- Solution: Check SMTP settings in
.env, verifyREPORT_ENABLED=True
Issue: VirusTotal enrichment failing
- Solution: Verify API key, check rate limits (4 requests/minute for free tier)
Issue: Database errors or missing columns
- Solution: Run migration scripts:
python scripts/migrate_add_updated_by.py python scripts/migrate_add_expiration.py
Issue: Permission denied errors
- Solution: Ensure scripts are executable:
chmod +x scripts/*.py
This project is licensed under the MIT License - see the LICENSE file for details.
- Flask - Web framework
- Bootstrap 5 - UI framework
- VirusTotal - Malware analysis
- URLScan.io - URL analysis
- MaxMind - GeoIP data
- YARA - Malware detection rules
- STIX - Threat intelligence format
- Project Link: https://github.com/JMousqueton/IoCManager
- Issues: https://github.com/JMousqueton/IoCManager/issues
- Documentation: https://github.com/JMousqueton/IoCManager/wiki
Give a βοΈ if this project helped you!
Built with β€οΈ for the cybersecurity community
