CABTA

CABTA (Blue Team Assistant) - AI-Powered SOC Platform for Threat Analysis, IOC Investigation & Email Forensics

Generate Convert Improve

Install / Use

/learn @ugurrates/CABTA

About this skill

Quality Score

0/100

README

CABTA - Cyan Agent Blue Team Assistant

AI-Powered SOC Platform for Threat Analysis, IOC Investigation & Email Forensics

CABTA is a comprehensive, local-first security analysis platform designed for SOC analysts, incident responders, and threat hunters. It features a modern web dashboard, 20+ threat intelligence sources, advanced malware analysis, email forensics, and AI-powered investigation with local LLM support via Ollama.

Screenshots

| Dashboard | Settings | |:---------:|:--------:| | | |

| IOC Investigation | Email Analysis Result | |:-----------------:|:--------------------:| | IOC | Email Result |

Features

Core Platform

| Feature | Description | |---------|-------------| | Web Dashboard | Modern dark-themed SOC dashboard with real-time stats, charts, and quick actions | | Multi-Source Threat Intelligence | 20+ integrated sources: VirusTotal, Shodan, AbuseIPDB, AlienVault OTX, GreyNoise, and 15 free OSINT feeds | | Advanced Malware Analysis | PE/ELF/Mach-O/APK/Office/PDF/Script/Archive analysis with deep inspection | | Email Forensics | SPF/DKIM/DMARC validation, BEC detection, phishing scoring, relay chain analysis | | IOC Investigation | IP, domain, URL, hash, email, CVE lookup across all TI sources with DGA and domain age detection | | AI-Powered Analysis | Local LLM via Ollama for threat summarization and context-aware verdicts | | Detection Rule Generation | Auto-generated KQL, Splunk SPL, Sigma, YARA, Snort, FortiMail, Proofpoint, Mimecast rules | | Case Management | Track investigations, link analyses, add notes | | STIX 2.1 Export | Export IOCs as STIX bundles with TLP marking |

v2.0 New Capabilities

| Feature | Description | |---------|-------------| | Ransomware Detection | Crypto constant scanning, ransom note detection, Bitcoin/Onion extraction, VSS deletion detection | | PE Deep Inspection | TLS callbacks, PDB path analysis, Rich header validation, resource analysis, entry point anomalies | | Cobalt Strike Beacon Extraction | XOR brute-force decryption, TLV config parsing, C2 server extraction | | Memory Forensics | Volatility 3 integration for process analysis, code injection, network connections | | BEC Detection | Business Email Compromise: urgency/financial/impersonation patterns, auth failure correlation | | Email Threat Indicators | Tracking pixels, HTML forms, URL shorteners, data URIs, callback phishing (BazarCall) | | Text File Analysis | C2 config detection, credential indicators, encoded content analysis | | Threat Actor Profiling | 20 APT/cybercrime group database with MITRE technique matching | | APK Risk Scoring | Dangerous permission mapping, suspicious API detection, obfuscation analysis, MITRE Mobile ATT&CK | | DGA Detection | 7-heuristic algorithm: entropy, consonant ratio, bigram/trigram frequency, dictionary matching | | Domain Age Checking | WHOIS-based newly registered domain detection with risk scoring |

Key Differentiators

Zero Cloud Dependency: All analysis runs locally with Ollama - no data leaves your network
Analyst-Grade Output: Shows WHY something is malicious with detailed evidence and MITRE mapping
Production-Grade Scoring: Multi-source weighted composite scoring with confidence levels
Real-Time Investigation: Async operations for fast multi-source lookups
15 Free Intelligence Sources: Works without any API keys using free OSINT feeds

Architecture

+--------------------------------------------------------------------+
|                            CABTA v2.0                               |
+--------------------------------------------------------------------+
|                                                                      |
|  +------------------+  +------------------+  +------------------+    |
|  |   Web Dashboard  |  |    Agent Chat    |  |    REST API      |    |
|  |   (FastAPI +     |  |   (AI-powered    |  |   /api/analysis  |    |
|  |    Jinja2)       |  |    investigation)|  |   /api/reports   |    |
|  +--------+---------+  +--------+---------+  +--------+---------+    |
|           |                      |                      |            |
|           +----------------------+----------------------+            |
|                                  |                                   |
|  +---------------------------------------------------------------+  |
|  |                        TOOLS LAYER                             |  |
|  |  +--------------+ +--------------+ +------------------------+ |  |
|  |  |   Malware    | |    Email     | |   IOC Investigator     | |  |
|  |  |   Analyzer   | |   Analyzer   | | (IP/Domain/URL/Hash)   | |  |
|  |  +--------------+ +--------------+ +------------------------+ |  |
|  +---------------------------------------------------------------+  |
|                                  |                                   |
|  +---------------------------------------------------------------+  |
|  |                      ANALYZERS LAYER                           |  |
|  |  +------+ +------+ +------+ +------+ +------+ +------+       |  |
|  |  |  PE  | | ELF  | |Office| | PDF  | |Script| |  APK |       |  |
|  |  +------+ +------+ +------+ +------+ +------+ +------+       |  |
|  |  +------+ +------+ +------+ +------+ +------+ +------+       |  |
|  |  |Ransom| |Beacon| |Memory| | Text | |Archive| | BEC |       |  |
|  |  |ware  | |Config| |Foren.| |Analyz| |      | |Detect|       |  |
|  |  +------+ +------+ +------+ +------+ +------+ +------+       |  |
|  +---------------------------------------------------------------+  |
|                                  |                                   |
|  +---------------------------------------------------------------+  |
|  |                    INTEGRATIONS LAYER                          |  |
|  |  +-----------------+ +------------------+ +-----------------+ |  |
|  |  | Threat Intel    | |  LLM Analyzer    | | STIX Generator  | |  |
|  |  | (20+ sources)   | |  (Ollama/Cloud)  | | (STIX 2.1)      | |  |
|  |  +-----------------+ +------------------+ +-----------------+ |  |
|  |  +-----------------+ +------------------+ +-----------------+ |  |
|  |  | Threat Actor    | |  DGA Detector    | | Domain Age      | |  |
|  |  | Profiler (20grp)| |  (7 heuristics)  | | Checker (WHOIS) | |  |
|  |  +-----------------+ +------------------+ +-----------------+ |  |
|  +---------------------------------------------------------------+  |
|                                  |                                   |
|  +---------------------------------------------------------------+  |
|  |                      SCORING & OUTPUT                          |  |
|  |  +-----------+ +----------+ +-------+ +-------+ +-----------+ |  |
|  |  | Adaptive  | | Tool-    | | HTML  | | MITRE | | Detection | |  |
|  |  | Scoring   | | Based    | |Report | | Nav.  | | Rules     | |  |
|  |  | Engine    | | Scoring  | |       | |       | | Generator | |  |
|  |  +-----------+ +----------+ +-------+ +-------+ +-----------+ |  |
|  +---------------------------------------------------------------+  |
+----------------------------------------------------------------------+

Quick Start

Prerequisites

Python 3.10+
Ollama (optional, for AI analysis)

Installation

# Clone repository
git clone https://github.com/ugurrates/CABTA.git
cd CABTA

# Create virtual environment
python -m venv venv
source venv/bin/activate    # Linux/Mac
# or
.\venv\Scripts\activate     # Windows

# Install dependencies
pip install -r requirements.txt

# Copy and configure
cp config.yaml.example config.yaml
# Edit config.yaml with your API keys (optional - works without them)

# Verify installation
python test_setup.py

Start the Web Dashboard

python -m uvicorn src.web.app:create_app --factory --host 0.0.0.0 --port 3003

Open http://localhost:3003 in your browser.

Ollama Setup (Optional)

# Install Ollama
curl -fsSL https://ollama.com/install.sh | sh   # Linux
# or download from https://ollama.com for Windows/Mac

# Pull recommended model
ollama pull llama3.1:8b

# Verify
ollama list

Configuration

Edit config.yaml with your settings:

# API Keys (all optional - 15 free sources work without keys)
api_keys:
  virustotal: "your-vt-api-key"
  abuseipdb: "your-abuseipdb-key"
  shodan: "your-shodan-key"
  alienvault: "your-otx-key"

# LLM Configuration
llm:
  provider: "ollama"           # ollama, openai, anthropic
  ollama_model: "llama3.1:8b"
  ollama_endpoint: "http://localhost:11434"

API Key Sources

| Source | Free Tier | URL | |--------|-----------|-----| | VirusTotal | 500 req/day | https://www.virustotal.com/gui/join-us | | AbuseIPDB | 1000 req/day | https://www.abuseipdb.com/register | | Shodan | 100 req/month | https://account.shodan.io/register | | AlienVault OTX | Unlimited | https://otx.alienvault.com/accounts/signup | | GreyNoise | 50 req/day | https://viz.greynoise.io/signup |

Free Sources (No API Key Required)

These 15 OSINT sources work out of the box:

| Source | Type | |--------|------| | Abuse.ch URLhaus | Malicious URLs | | Abuse.ch MalwareBazaar | Malware samples | | Abuse.ch ThreatFox | IOC sharing | | Abuse.ch Feodo Tracker | Botn

Related Skills

node-connect

338.0k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

83.4k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

338.0k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

commit-push-pr

83.4k

Commit, push, and open a PR