QUESTION: How much work would it be to extend Aleph for cyber-crime investigation

[U039b]

Hi all!

First, thank you so much for your awesome work on Aleph!

I am working with multiple large NGOs on building a user friendly Digital Forensic, Incident Response and OSINT investigation platform. Instead of starting from scratch I had a look to Aleph and to the FTM model. Aleph architecture looks very flexible. So, I wonder how complicated it would be for me to:

• manage new entities such as Threat actor, Campaign, Sample, etc.
• enrich these entities with information coming from various external sources such as RiskIQ, Virus Total, etc.

I know that many different IR, OSINT platforms/tools already exist but none of them manage large bunch of entities. Some of these tools focus on network indicators, others on APT, others on OSINT. As an example, I need to allow users to correlate malware campaigns with online misinformation campaigns, to correlate threat actors activities with security incident.

I looked at your documentation, I looked at how Aleph is constructed and it seems to me that extending Aleph would be the best way for me to build the tools the NGOs I work with need.

I apologize if opening an issue here was not the most appropriate way to reach out to you.

My best,
Esther

[Rosencrantz]

Hi Esther

Directly extending Aleph or FtM to handle new types of entities such as Threat actor or Campaign should be relatively simple. However, the more you change Aleph/FtM the harder it becomes to integrate changes from source application. If your plan is to move away from these tools to do your own thing then that probably isn't an issue.

Aleph itself is a tool designed to allow users to "find" information and as such the UI only has limited functionality for the creation and modification of data. The real power comes from the ETL pipeline and ingesting data appropriately in order to make it searchable.

If you're looking to modify entities (enrich) over time then as long as you ensure that you use the same ids for entities when you upload them into Aleph those entities will overwrite existing ones. I should note that Aleph doesn't currently track changes for these types of changes.