Threat intelligence platform for DFIR teams, with bulk observable search and enrichment via web API
- Stars2k
- Forks318
- Open Issues48
Apache-2.0
- Python
- Shell
- Dockerfile
About Yeti
Yeti is a forensics intelligence platform and pipeline that bridges CTI and DFIR work. It was built to answer everyday questions like where an artifact has been seen before, and how to find every IOC tied to a given threat across a timeline.
It stores technical and tactical CTI such as observables, TTPs, and campaigns from internal or external sources. You can bulk-search observables to guess the nature of a threat, or pivot from a threat to list related TTPs, malware, and DFIR artifacts. It also backs queries for Yara signatures, Sigma rules, and DFIQ.
A web API automates queries and enrichment so it can plug into incident management and malware sandboxes, and exports run in user-defined formats for SIEMs and other DFIR platforms. It is self-hosted, with Docker for deployment.
Key features
- Bulk search observables and infer threat context
- List related TTPs, malware, and DFIR artifacts
- Backend for Yara signatures, Sigma rules, and DFIQ
- Web API for automated queries and enrichment
- Export data in user-defined formats
Details
- First released
- 2015
- Platforms
- Web · Docker
- Deployment
- self-hostable · docker
- Focus
- CTI and DFIR workflows
- Data types
- Observables, TTPs, campaigns
- Backs
- Yara · Sigma · DFIQ