Skip to content
Analysis Correlation Engine
Python JavaScript HTML CSS Shell TSQL Other
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
_api_package incremented version for ace_api Mar 7, 2019
ace_client_lib fixed some minor issues with ace_api backwards compat stuff Jan 21, 2019
api fixed unit testing Apr 4, 2019
app Merge branch 'delayed_remediation' Jun 18, 2019
bin added utility script for updating sip cache May 15, 2019
bro fixed issue with order of bro events for smtp traffic Dec 31, 2018
cron initial commit Aug 3, 2018
docs documentation updates Feb 15, 2019
etc fixed an issue with remediation queue Jun 19, 2019
installer updated requirements due to security issue in sqlalchemy May 8, 2019
lib adjusted logging level Jun 19, 2019
render added render project to ace repo Oct 18, 2018
sample_detections/office initial commit Aug 3, 2018
sql updated sql with recent changes Jun 7, 2019
ssl/root/ca automating ssl certification creation Dec 18, 2018
test_data modified archive analysis to recognize openoffice documents Feb 7, 2019
yss/etc updated yss logging config for ace Sep 20, 2018
.gitignore refactoring remediation May 15, 2019
LICENSE Initial commit Aug 3, 2018 added docs badge to readme Oct 19, 2018
ace remediation system refactor, start/stop, bug fixes Jun 17, 2019
ace.wsgi use flask-sqlalchemy session scope for saq.db in wsgi apps Feb 14, 2019 fixed variable scope Apr 22, 2019
aced #fixes #132 - added systemd stuff Feb 1, 2019
analyst_on_ace.png added analyst_on_ace.png Sep 4, 2018
api.wsgi use flask-sqlalchemy session scope for saq.db in wsgi apps Feb 14, 2019 Merge remote-tracking branch 'origin/master' Jan 19, 2019
crontab.example added sample crontab and sample cleanup script Oct 23, 2018
load_environment fixes and adjustments to some of the support scripts Sep 6, 2018
test remediation system refactor, start/stop, bug fixes Jun 17, 2019 started some unit testing for the cli Nov 19, 2018 Adds initial Events API Mar 6, 2019

ACE - Analysis Correlation Engine

Documentation Status

ACE is a detection system and automation framework. ACE’s foundation is its engine for recursive analysis and its intuitive presentation to your analysts. ACE's goal is to reduce the analyst's time-to-disposition to as close to zero as humanly possible.

While ACE is a powerful detection system, and does have built in detections, ACE does not ship with all of the yara signatures and intel detections that teams have built around it. However, ACE makes it easy to load your own yara signatures and atomic indicator detections.

Alerts are sent to ACE, and ACE handles the ordinary, manual, redundant, and repetitive tasks of collecting, combining, and relating data. ACE will then contextually and intuitively present all the right data to the human, allowing for a quick, high confidence determination to be made.

Got some new analysis that can be automated? Awesome! Add your automation, and let ACE keep working for you.

Analyst using ACE

For the most part, custom hunting tools send alerts to ACE using ACE’s client library (API wrapper). ACE then gets to work by taking whatever detectable conditions it’s given and spirals out through its recursive analysis of observables, hitting as many detection points as possible across the attack surface.

ACE is the implementation of a proven detection strategy, a framework for automating analysis, a central platform to launch and manage incident response activates, an email scanner, and much more.

Major Features

  • Email Scanning
  • Recursive File Scanning
  • URL Crawling and Content Caching
  • Intuitive Alert Presentation
  • Recursive Data Analysis & Correlation
  • Central Analyst Interface
  • Event and Incident Management
  • Intel Ingestion
  • Modular Design for extending automation

The Super Fast, Getting Started Steps

  1. Clean Ubuntu 18 install. Take a quick look at these notes about Ubuntu 18.
  2. Create username/group ace/ace.
  3. Add ace to sudo.
  4. Login as user ace.
  5. sudo mkdir /opt/ace && sudo chown ace:ace /opt/ace && cd /opt/ace
  6. git clone .
  7. ./installer/source_install
  8. source load_environment
  9. ./ace add-user username email_address
  10. Goto or whatever IP address you're using.

Built for the InfoSec Team

Regardless of skill level, ACE greatly reduces the time it takes an analyst to make a high confidence alert disposition. This reduction in time-to-disposition, coupled with the appropriate hunting and tuning mindset, means that security teams can greatly increase their attack surface coverage, all while utilizing the same amount of analyst time and practically eliminating alert fatigue. Optimization good, alert fatigue bad.

Analyst using ACE

Analyst Demo

The following YouTube video provides a tour of the ACE GUI and demonstrates how to work some alerts.

ACE Analyst Demo


For a more in-depth understanding of the philosophy behind ACE, see the talk that John Davison gave on the development of the ACE tool set at BSides Cincinnati in 2015.

Automated Detection Strategies


View ACE's full documentation here:

You can’t perform that action at this time.