Poortego
Poortego is an OSINT (Open Source Intelligence) investigation platform for managing entities, mapping relationships, and conducting link analysis. It aggregates data from multiple sources, enables complex queries, and supports collaborative investigations with built-in reporting capabilities.
Installation
# Install from PyPI
pip install poortego
# Install from source
git clone https://github.com/aurainfosec/poortego.git
cd poortego
pip install -r requirements.txt
python setup.py install
# Verify installation
poortego --versionBasic Commands
| Command | Description |
|---|---|
entity | Manage entities |
relationship | Create/query relationships |
investigate | Start investigation |
search | Search across all data |
export | Export investigation data |
Entity Management
# Create new entity
poortego entity create --name "example.com" --type domain
# Add entity from email
poortego entity create --email user@example.com --type email
# Add IP address
poortego entity create --ip 192.168.1.1 --type ipv4
# Add phone number
poortego entity create --phone "+1234567890" --type phone
# Add username
poortego entity create --username "johndoe" --type username
# List all entities
poortego entity list
# Get entity details
poortego entity show --id <entity_id>
# Search entities
poortego entity search --query "example.com"
# Filter by type
poortego entity list --type domain
# Export entities
poortego entity export --format json --output entities.jsonRelationship Mapping
# Create relationship between entities
poortego relationship create \
--source example.com \
--target 192.168.1.1 \
--type "resolves-to"
# Connect email to domain
poortego relationship create \
--source user@example.com \
--target example.com \
--type "associated-with"
# Connect username to email
poortego relationship create \
--source johndoe \
--target user@example.com \
--type "uses-email"
# Connect IP to domain
poortego relationship create \
--source 192.168.1.1 \
--target example.com \
--type "hosted-by"
# List relationships
poortego relationship list
# View relationship graph
poortego relationship graph --entity example.com --depth 3
# Export relationships
poortego relationship export --format graphml --output graph.graphmlInvestigation Workflows
# Create new investigation
poortego investigate create --name "Operation Chameleon"
# Add entities to investigation
poortego investigate add-entity \
--investigation "Operation Chameleon" \
--entity example.com
# Bulk add entities from file
poortego investigate add-entities \
--investigation "Operation Chameleon" \
--input targets.txt
# View investigation entities
poortego investigate show --name "Operation Chameleon"
# Search within investigation
poortego investigate search \
--investigation "Operation Chameleon" \
--query "malware"
# Generate investigation report
poortego investigate export \
--investigation "Operation Chameleon" \
--format html \
--output report.htmlAdvanced Data Collection
# Domain information gathering
poortego domain --target example.com
# DNS records
poortego dns --domain example.com
# Subdomain discovery
poortego subdomains --domain example.com
# Related domains
poortego related-domains --domain example.com
# IP WHOIS information
poortego whois --ip 192.168.1.1
# ASN information
poortego asn --asn 12345
# Email breaches
poortego breach --email user@example.com
# Username search across platforms
poortego username --query johndoe --deep
# Phone number lookup
poortego phone --number "+1234567890"Threat Intelligence Integration
# Check IP reputation
poortego reputation --ip 192.168.1.1
# Domain reputation
poortego reputation --domain example.com
# Malware detection
poortego malware --domain example.com
# Botnet analysis
poortego botnet --ip 192.168.1.1
# Phishing detection
poortego phishing --url http://example.com
# C2 detection
poortego c2 --ip 192.168.1.1
# Known bad indicators
poortego iocs --query example.com --type domain
# Threat actor association
poortego threat-actor --query example.comDeep Linking and Pivoting
# Find all connections to entity
poortego pivot --entity example.com
# Multi-step relationships
poortego pivot --entity example.com --depth 4
# Reverse pivot (find what links to entity)
poortego pivot --entity example.com --reverse
# Find common connections
poortego common-links \
--entity1 example.com \
--entity2 192.168.1.1
# Build relationship chains
poortego chain \
--start example.com \
--end malware-c2.com \
--max-hops 6
# Find shortest path between entities
poortego path --source attacker@email.com --target example.comData Import and Export
# Import from CSV
poortego import --file targets.csv --format csv
# Import from JSON
poortego import --file investigation.json --format json
# Import from Excel
poortego import --file data.xlsx --format excel
# Bulk import entities
poortego import --type entities --file entities.txt
# Bulk import relationships
poortego import --type relationships --file relationships.csv
# Export investigation
poortego export \
--investigation "Op Name" \
--format json \
--output investigation.json
# Export as STIX
poortego export \
--investigation "Op Name" \
--format stix \
--output indicators.stix
# Export graph visualization
poortego export \
--investigation "Op Name" \
--format graphml \
--output network.graphmlBatch Operations
# Process multiple targets from file
poortego batch --input targets.txt --operation gather
# Parallel processing
poortego batch --input targets.txt --threads 10 --operation investigate
# Generate reports for batch
poortego batch --input targets.txt \
--report batch-report.html \
--format html
# Export batch results
poortego batch --input targets.txt \
--export results.json \
--format json
# Scheduled batch jobs
poortego schedule --input targets.txt \
--operation gather \
--frequency daily \
--time 02:00Advanced Investigation Techniques
# Identify infrastructure
poortego infrastructure --target example.com
# Find shared infrastructure
poortego shared-infrastructure \
--domain1 example.com \
--domain2 suspicious.com
# Identify patterns
poortego patterns --investigation "Op Name"
# Detect clustering
poortego cluster \
--investigation "Op Name" \
--method hierarchical
# Timeline analysis
poortego timeline --investigation "Op Name"
# Attribution analysis
poortego attribute \
--investigation "Op Name" \
--suspected-actor "APT28"Reporting and Analysis
# Generate HTML report
poortego report --investigation "Op Name" \
--format html \
--output investigation.html
# Generate PDF report
poortego report --investigation "Op Name" \
--format pdf \
--output investigation.pdf
# Executive summary
poortego report --investigation "Op Name" \
--type summary \
--output summary.txt
# Technical analysis report
poortego report --investigation "Op Name" \
--type technical \
--output technical.html
# Graph visualization
poortego report --investigation "Op Name" \
--visualization graph \
--output network.png
# Timeline report
poortego report --investigation "Op Name" \
--type timeline \
--output timeline.html
# Threat assessment
poortego report --investigation "Op Name" \
--assessment-type threat \
--output threat-assessment.htmlReal-World Investigation Workflow
#!/bin/bash
# Complete threat investigation workflow
INVESTIGATION_NAME="Threat Investigation $(date +%Y%m%d)"
WORK_DIR="./investigation_$(date +%s)"
mkdir -p "$WORK_DIR"
echo "[*] Creating investigation: $INVESTIGATION_NAME"
poortego investigate create --name "$INVESTIGATION_NAME"
# 1. Seed investigation with indicators
echo "[*] Adding initial indicators..."
while IFS= read -r indicator; do
poortego entity create --name "$indicator" --auto-detect
poortego investigate add-entity --investigation "$INVESTIGATION_NAME" --entity "$indicator"
done < initial_indicators.txt
# 2. Gather intelligence
echo "[*] Gathering threat intelligence..."
for entity in $(poortego investigate show --name "$INVESTIGATION_NAME" | grep 'entity' | awk '{print $2}'); do
poortego domain --target "$entity" >> "$WORK_DIR/domain_info.json"
poortego reputation --domain "$entity" >> "$WORK_DIR/reputation.json"
done
# 3. Map relationships
echo "[*] Mapping relationships..."
poortego pivot --investigation "$INVESTIGATION_NAME" --depth 3 \
> "$WORK_DIR/relationships.json"
# 4. Identify patterns
echo "[*] Identifying patterns and infrastructure..."
poortego patterns --investigation "$INVESTIGATION_NAME" \
> "$WORK_DIR/patterns.json"
# 5. Generate analysis
echo "[*] Generating analysis reports..."
poortego report --investigation "$INVESTIGATION_NAME" \
--format html \
--output "$WORK_DIR/analysis.html"
# 6. Export data
echo "[*] Exporting investigation data..."
poortego investigate export \
--investigation "$INVESTIGATION_NAME" \
--format json \
--output "$WORK_DIR/investigation.json"
echo "[+] Investigation complete"
echo "[+] Results: $WORK_DIR"Collaboration Features
# Share investigation
poortego share --investigation "Op Name" --user analyst@org.com
# Set permissions
poortego share --investigation "Op Name" \
--user analyst@org.com \
--role editor
# Create shared workspace
poortego workspace create --name "Threat Analysis Team"
# Add members to workspace
poortego workspace add-member \
--workspace "Threat Analysis Team" \
--user analyst1@org.com
# Comment on entities
poortego comment --entity "example.com" \
--comment "Connected to APT28 infrastructure"
# View entity history
poortego entity history --id <entity_id>Troubleshooting
# Check connection
poortego test --connection
# Verify API key
poortego config --api-key YOUR_API_KEY --test
# View logs
poortego logs --level debug
# Database integrity
poortego verify --database
# Clear cache
poortego cache --clear
# Rebuild indices
poortego index --rebuildBest Practices
- Create named investigations for each threat
- Document relationships with dates and confidence levels
- Use consistent entity naming conventions
- Export investigations regularly for backup
- Validate all indicators before analysis
- Cross-reference with multiple intelligence sources
- Document analysis methodology
- Review and update timelines regularly
- Share findings with relevant stakeholders
- Archive completed investigations
References
Last updated: 2026-03-30