Cont3xt

Cont3xt centralizes and simplifies a structured approach to gathering contextual intelligence in support of technical investigations.

It enriches indicators using popular commercial and OSINT sources in a structured, consistent, and thorough process. Some of the default enrichment integrations include PassiveTotal, VirusTotal, Censys, Shodan, and more. Simplify your analytic life!

View Cont3xt installation instructions to get started!

Cont3xt Settings Documentation.

Cont3xt Demo

Cont3xt was first available in the Arkime 4.0 release.

Do you hate popping loads of browser tabs into many different services to research technical indicators?
Are you inconsistent with your use of available research tools?
Do you wish you could easily pivot into other web accessible investigative resources?
Keep reading to learn how Cont3xt can help you!

Cont3xt Dashboard

Cont3xt automates the task of gathering contextual intelligence from a handful of popular services.

Search

Enter an indicator in the search bar. The search bar supports refanging input and identifies the indicator type. Search does not currently support bulk lookups, but will in the future.

Enrich Data

We currently support a bunch of different services for auto enrichments, and are adding new ones all the time.

Custom Links

Build custom links to any public/private web resource where the web application supports query string deep linking. This makes it easy to pivot investigations to other sources.

Share links with team mates that are tailored to specific views and link filters to guide the investigative process.

Download Reports

Export full reports, or subsets of response data.

Indicator Types (iTypes)

Cont3xt will auto enrich supported indicator types of IP, domain/hostname, URL, email address, hash or phone number.

Domains/Hostnames

Use of Cloudflare DNS over HTTPS to perform resolution of records types including A, AAAA, NS, MX, TXT, SPF/DMARC, CAA and SOA. Any explicit IP's resolved will have the IP iType enrichment performed.
Direct/Public Whois request. This can be valuable over other third party commercial services which will offer results, but may be cached or not current when dealing with freshly registered domains.
PassiveTotal Whois
PassiveTotal PDNS
PassiveTotal subdomains
BuiltWith
URLHaus
URLScan 'contains'
VirusTotal 'contains'
AlienVault OTX
Anomali ThreatStream search

IPs

RDAP query identifying RIR, and link to detail.
SPUR.us
GreyNoise
Censys
AbuseIPDB
Shodan
PassiveTotal PDNS
BGPView
ThreatFox
URLHaus
URLScan
VirusTotal
AlienVault OTX
Anomali ThreatStream

Email

Perform a direct connection SMTP sender receipt verification. This is the only heavy touch that cont3xt currently performs. You can disable this in integrations.
Anomali ThreatStream
Extract the base domain, and perform all relevant Domain enrichments.

Hashes

MalwareBazaar
ThreatFox
VirusTotal
AlienVault OTX
Anomali ThreatStream

Phone (U.S. ONLY)

Twilio - identify carrier and caller name

Installation

Configure OpenSearch/Elasticsearch, if only using for Cont3xt a small single node deployment is enough
Download Arkime 4.0 or later
Install the RPM/DEB file
Run /opt/arkime/bin/Configure --cont3xt to enable systemd file
If a NEW install, run /opt/arkime/db/db.pl http://eshost:port init
Edit /opt/arkime/etc/cont3xt.ini and update elasticsearch setting
If a NEW install, run /opt/arkime/bin/arkime_add_user.sh admin admin PASSWORD --admin to create an initial user
Run systemctl restart arkimecont3xt
If Cont3xt isn't working, look at /opt/arkime/log/cont3xt.log

cont3xt.js

You'll need to run cont3xt.js from the cont3xt directory.
If not using anonymous mode, every user will need either the cont3xtUser or cont3xtAdmin role assigned to them. The cont3xtAdmin role will allow the user to edit any link group.