Skip to content

Terguttac/Detection-Engineering-Custom

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
detections
detections
 
 
development
development
 
 
metrics
metrics
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
monitor_detections.sh
monitor_detections.sh
 
 

Repository files navigation

Detection Engineering

Purpose

This repo builds upon the scripts written throughout Anthony Isherwood's Detection Engineering course. The scripts and automations have been adapted to run locally, using inotifywait to monitor the detection folders. The validation script runs upon detecting a change, and if validated, the alert is synced to Elastic.

Summary

The bash command watches for file changes in both the validated and failed directories. Once detected, the validation script will be run against the file and responds accordingly.

  • If a detection is altered and no longer valid, the script moves it to the failed directory.

  • If a detection in the failed directory is modified and passes validation it is moved to the validated directory.

  • If a detection is altered and validated, it is synced to Elastic.

If validation fails, the script can retrieve the last valid detection. This option is enabled by default but can be disabled by setting getBKUP = False in the custom_validation.py script.

Retrieved detections are placed in the validated directory, prepended with BKUP_, and are automatically removed when the failed detection is corrected.

Setup & Usage

  • Set environment variables for ELASTIC_URL and API_KEY.
  • Set an environment variable for GH_URL to the path of the github repo. For example: https://raw.githubusercontent.com/Terguttac/Detection-Engineering-Custom/main/
  • Run monitor_detections.sh.

Recently Created Detections

This Month

Alert Date Author Risk Score Severity Tactic MITRE Links
Potential Zipped Exfiltration 2023/12/15 Terguttac 65 medium Collection T1074 T1074.001

Last Month

Alert Date Author Risk Score Severity Tactic MITRE Links
Potential MSFVenom PowerShell Payload Observed 2023/11/15 Terguttac 85 high Execution T1059 T1059.001
Suspicious file added to Registry run key (ps1) 2023/11/15 Terguttac 85 high Persistence T1547 T1547.001
Powershell execution via a bat file 2023/11/15 Terguttac 55 medium Execution T1059 T1059.001
Powershell Invoke-WebReqeuest Downloading .BAT file 2023/11/15 Terguttac 50 medium Execution T1059 T1059.001
Excessive Web Traffic 2023/11/14 Terguttac 25 low Discovery T1046
Web Scanner Activity - Nmap and Nikto 2023/11/15 Terguttac 35 low Discovery T1046

Two Months Ago

Alert Date Author Risk Score Severity Tactic MITRE Links
Bat files observed in HTTP traffic on unusual port 2023/10/15 Terguttac 30 low Execution T1059 T1059.003

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages