Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it.
Yeti was born out of frustration of having to answer the question "where have I seen this artifact before?" or Googling shady domains to tie them to a malware family.
In a nutshell, Yeti allows you to:
This is done by:
There's are a few handy bootstrap scripts in /extras that you can use to install a production instance of Yeti.
If you're really in a hurry, you can
curl | bash them.
$ curl https://raw.githubusercontent.com/yeti-platform/yeti/master/extras/ubuntu_bootstrap.sh | sudo /bin/bash
Please refer to the full documentation for more detailed steps.
Yeti has a
docker-compose script to get up and running even faster; this is useful for testing or even running production instances of Yeti should your infrastructure support it. Full instructions here, but in a nutshell:
$ git clone https://github.com/yeti-platform/yeti.git $ cd yeti/extras/docker/dev $ docker-compose up