This Threat hunting project aims to get information about recent security events in order to generate rules for detection and prevention. It uses one data source for now but will handle multiple ones later. It stores the datas in a database and allow automatic updating.
This section contains different scripts and their usage.
- db.py : class to perform operation on the database, contains methods for managing database;
- event_class.py : class used to normalize data types, especially Event, Objects and Attributes formats;
- sigmaRule.py : contains functions and a class to store and generate Sigma detection rules;
- for more, see the scheme below
- Clone the repo and install the requirements
- edit the locations in main.py if needed
- run
python3.9 main.py
Put the programs categories_all_filler.sh, sort_usefull_content.sh, parser.sh in the same dir
- run categories_all_filler.sh
- run sort_usefull_content.sh
- run parser.sh
- Create a new branch named whitelist_update
- make your commits
- pull request and wait for an admin to review your suggestions
- Make research about async functions
- Implement the async functions
- Rule creation ✅
- Rule uploading ✅
- Rule editing ✅
Objectives : Automatise the exportation of new rules on the EDR ✅
Objectives : Allow users to edit rules to make them more efficient Comments : If the program generates the whole set of rules on each execution, we whould be able to implement modifications that will occur each time the program is launched.
Find a way to make rules editing persistant. If a user edit a rule, we want it to keep as user defined and not reset when executing the script. ✅