Universal Threat Hunting & Detection Engineering Platform
IntelForge is a comprehensive cybersecurity platform that transforms threat intelligence into actionable detection rules across multiple SIEM platforms. Built for security analysts, threat hunters, and detection engineers, it provides vendor-neutral tools for IOC extraction, query generation, rule creation, and collaborative threat hunting.
- Universal IOC Extraction: Extract IPs, domains, URLs, hashes, emails from text, files, and URLs
- Multi-Vendor Query Generation: Support for 6+ SIEM platforms with vendor-neutral approach
- Universal Rule Generation: Create Sigma and YARA rules from IOCs and threat intelligence
- Enterprise CTI Integration: 13+ premium threat intelligence providers
- ML-Powered Analytics: IOC scoring, threat attribution, and attack prediction
- Community Platform: Collaborative threat hunting with shared hunt packs
- CrowdStrike Falcon: CQL (CrowdStrike Query Language)
- Splunk Enterprise/Cloud: SPL (Search Processing Language)
- Microsoft Sentinel: KQL (Kusto Query Language)
- Elastic Security: ES|QL (Elasticsearch Query Language)
- IBM QRadar: AQL (Ariel Query Language)
- Google Chronicle: UDM Search
- Sigma Rule Generation: Universal detection rules with multi-platform export
- YARA Rule Creation: Malware detection rules from IOCs and file samples
- Query Optimization: Performance suggestions and vendor-specific tuning
- Field Mapping Editor: Custom SIEM configurations and data source mapping
- Automated Validation: Syntax checking and rule testing across platforms
- Multi-format Export: CQL queries, CSV reports, STIX 2.1, JSON with TTP context
- Enhanced CQL Bundles: Queries with MITRE ATT&CK mappings and AI analysis context
- Vendor-Aware Field Mapping: Automatic field translation for different SIEM platforms
- Client-Side Processing: All analysis happens locally in your browser
- Encrypted API Key Storage: AES-GCM encryption for sensitive credentials
- Multiple AI Providers: OpenAI, Anthropic Claude, Google Gemini, OpenRouter support
- Offline Capability: Core features work without internet connectivity
- Dual Themes: Sleek black analyst mode or retro green Pip-Boy terminal theme
- Real-time Validation: Live CQL syntax checking and field validation
- Progress Tracking: Visual feedback for long-running AI operations
- Error Recovery: Intelligent fallbacks and helpful error messages
- Node.js 18+ and npm (recommended: install with nvm)
- Git
# Clone the repository
git clone https://github.com/dark-analytica/cql-forge.git
# Navigate to the project directory
cd intelforge
# Install dependencies
npm install
# Start the development server
npm run devThe application will be available at http://localhost:5173
# Build the application
npm run build
# Preview the production build
npm run previewThis project is built with modern web technologies:
- Frontend: React 18 with TypeScript
- Build Tool: Vite for fast development and optimized builds
- UI Framework: shadcn/ui components with Radix UI primitives
- Styling: Tailwind CSS with custom theme support
- State Management: React Query for server state management
- Routing: React Router DOM
- Backend: Supabase for optional cloud features
- Code Editor: Monaco Editor for CQL syntax highlighting
- Analytics: Built-in usage analytics
- Export Formats: PDF generation, CSV, JSON, STIX 2.1
Create a .env file in the root directory:
# Optional: Supabase configuration for cloud features
VITE_SUPABASE_URL=your_supabase_url
VITE_SUPABASE_ANON_KEY=your_supabase_anon_key
# Optional: LLM Provider API Keys (for enhanced features)
VITE_OPENAI_API_KEY=your_openai_key
VITE_ANTHROPIC_API_KEY=your_anthropic_key
VITE_GOOGLE_API_KEY=your_google_keyCQLForge supports multiple AI providers for enhanced analysis. Recommended: Use OpenRouter for best browser compatibility.
- OpenRouter β (Recommended): Browser-friendly proxy supporting Claude, GPT, Gemini, and 100+ models
- Anthropic Claude: Direct API access (may have CORS issues in browsers)
- OpenAI/Azure OpenAI: Direct API access (may have CORS issues in browsers)
- Google Gemini: Direct API access (may have CORS issues in browsers)
Direct API calls to AI providers are often blocked by browser security (CORS policy). If you encounter "Failed to fetch" errors:
- Use OpenRouter (recommended): Get an API key from openrouter.ai
- Configure a CORS proxy: Set up a proxy server for direct API calls
- Use browser extensions: Install CORS-disabling extensions (not recommended for security)
Configure API keys through Settings β Configure API Keys in the application.
- Extract IOCs: Paste threat reports, upload PDFs, or fetch URLs for automatic IOC extraction
- AI Analysis: Enable AI filtering to reduce false positives and extract TTPs automatically
- Generate CQL: Select your SIEM vendor and convert IOCs into optimized queries
- Hunt Enhancement: Apply AI-generated hunt suggestions based on MITRE ATT&CK framework
- Export & Deploy: Export enhanced CQL bundles with TTP context for your security tools
- Enterprise CTI APIs: Recorded Future, CrowdStrike Falcon X, Mandiant, and 10+ more
- ML Analytics Engine: IOC risk scoring, threat actor attribution, attack vector prediction
- Community Hunt Packs: Collaborative threat hunting with expert-verified content
- Universal Rule Export: Deploy Sigma rules to Splunk, Elastic, QRadar, Sentinel, Chronicle
- Automated Threat Correlation: Cross-platform IOC analysis and campaign attribution
- Performance Optimization: Vendor-specific query tuning and efficiency recommendations
src/
βββ components/ # React components
β βββ ui/ # shadcn/ui components
β βββ IOCExtractor.tsx # IOC extraction logic
β βββ CQLGenerator.tsx # CQL query generation
β βββ ...
βββ hooks/ # Custom React hooks
βββ lib/ # Utility functions and configurations
βββ pages/ # Route components
βββ integrations/ # External service integrations
npm run dev- Start development servernpm run build- Build for productionnpm run build:dev- Build in development modenpm run preview- Preview production buildnpm run lint- Run ESLint
The application builds to static files and can be deployed to any static hosting service:
- Netlify
- Vercel
- GitHub Pages
- AWS S3 + CloudFront
- Azure Static Web Apps
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build
EXPOSE 3000
CMD ["npm", "run", "preview"]- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
For issues, feature requests, or questions:
- Check the built-in Help documentation (Help button in the app)
- Review existing GitHub issues
- Create a new issue with detailed information
- Comprehensive Technique Database: 20+ MITRE ATT&CK techniques with full metadata
- Enhanced TTP Extraction: AI-powered extraction with authoritative technique descriptions
- Improved Hunt Suggestions: Context-aware recommendations using Pyramid of Pain framework
- Better TTP Cards: Clean evidence excerpts and professional technique displays
- 8+ Advanced Hunt Templates: PowerShell analysis, process injection, C2 detection, etc.
- Dynamic Template Generation: Fallback system for missing hunt scenarios
- Multi-IOC Correlation: Cross-reference different IOC types for campaign attribution
- Temporal Analysis: Timeline-based hunting for attack progression
- β Phase 2: Multi-vendor expansion (6 SIEM platforms)
- β Phase 3: Advanced features (Sigma/YARA rules, Enterprise CTI, ML analytics)
- β Security Hardening: CSP headers, input validation, secure architecture
- β Community Platform: Collaborative hunt pack sharing and validation
- Authentication System: User accounts and subscription management
- Production Deployment: Cloudflare hosting with custom domain
- API Monetization: Usage-based pricing and enterprise features
- SSO Integration: SAML and OIDC for enterprise customers
- Advanced Analytics: Threat landscape insights and trending IOCs