Flowintel is an open-source platform designed to assist analysts in organizing their cases and tasks. It features a range of tools and functionalities to enhance workflow efficiency.

• Case and Task Management: Tailored for security analysts, enabling efficient tracking and organization.

• Rich Documentation Tools: Includes Markdown and Mermaid integration for detailed notes, with export options like PDF.

• Integration with MISP standard: Seamless connection with MISP taxonomies and MISP galaxy.

• Calendar and Notifications: Features an efficient calendar view and notifications for timely task management.

• Templating System: Provides templates for cases and tasks, creating a playbook and process repository for cybersecurity.

• Flexible Data Export: Offers modules for exporting data to platforms like MISP, AIL, and more.

• Accessible API: Exposes an API for easy interaction with FlowIntel's functionalities.

• Advanced Analysis Modules: Leverages MISP modules for automated enrichment, threat intelligence, and data correlation.

• User and Workflow Management: Supports organizational structuring, task assignments, and a queueing system for efficient workload distribution.

• Comprehensive Audit Logging: Maintains a full audit trail of all actions, ensuring transparency and compliance.

• Python 3.10+
• PostgreSQL (or SQLite, MySQL, MariaDB)
• Valkey (or Redis)
• uv (for Python dependency management)
• Bun (for Node.js dependency management)

1. Copy the default configuration:

cd flowintel
cp conf/config.py.default conf/config.py
cp conf/config_module.py.default conf/config_module.py

2. Configure the application in conf/config.py

3. Run the installation script:

./install.sh

4. Start the application:

./launch.sh -l

In /bin there's a script for installation and for launching

• email: admin@admin.admin
• password: admin

./launch.sh -l               # Development launch
./launch.sh -ld              # Docker launch
./launch.sh -i               # Initialize database
./launch.sh -ip              # Production database initialization
./launch.sh -r               # Recreate database
./launch.sh -p               # Production launch
./launch.sh -t               # Run tests
./launch.sh -ks              # Kill running sessions
./launch.sh -tg              # Update taxonomies and galaxies
./launch.sh -mm              # Update MISP modules
./launch.sh -tdc <key>       # Create community test data
./launch.sh -dtdc <key>      # Delete community test data
./launch.sh -tdcc            # Create test cases
./launch.sh -dtdcc           # Delete test cases

To build assets using vite:

cd app/assets
bun run build:static

Or with npm:

cd app/assets
npm run build:static

If you would like to add your own galaxies and taxonomies to Flowintel, add it to:

• flowintel/modules/custom_taxonomies/

• flowintel/modules/custom_galaxies/

Just keep in mind that for taxonomies a MANIFEST.json is required and for galaxies two folders clusters and galaxies

See: misp-galaxy, misp-taxonomies

Overview of features currently under development. https://github.com/orgs/flowintel/projects/5

This software is licensed under GNU Affero General Public License version 3

Copyright (C) 2022-2023 CIRCL - Computer Incident Response Center Luxembourg
Copyright (C) 2022-2023 David Cruciani

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.