Detection Rules Logo

Detection Rules

0
Free
Visit Website

Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine. This repository was first announced on Elastic's blog post, Elastic Security opens public detection rules repo. For additional content, see the accompanying webinar, Elastic Security: Introducing the public repository for detection rules. Table of Contents - Overview of this repository - Getting started - How to contribute - Licensing - Questions? Problems? Suggestions? Detection Rules contains more than just static rule files. This repository also contains code for unit testing in Python and integrating with the Detection Engine in Kibana. - detection_rules/ Python module for rule parsing, validating and packaging - etc/ Miscellaneous files, such as ECS and Beats schemas - kibana/ Python library for handling the API calls to Kibana and the Detection Engine - kql/ Python library for parsing and validating Kibana Query Language - rta/ Red Team Automation code used to emulate attacker techniques, used for red teaming exercises.

FEATURES

ALTERNATIVES

A library of adversary emulation plans to evaluate defensive capabilities against real-world threats.

Robust Python SDK and Command Line Client for interacting with IntelOwl's API.

AbuseIPDB offers tools and APIs to report and check abusive IPs, enhancing network security.

Automatic YARA rule generator based on Koodous reports with limited false positives.

A tool for tracking, scanning, and filtering yara files with distributed scanning capabilities.

Sigma is a generic and open signature format for SIEM systems and other security tools to detect and respond to threats.

Scan files or process memory for Cobalt Strike beacons and parse their configuration.

CIFv3 is the next version of the Cyber Intelligence Framework, developed against Ubuntu16, encouraging users to transition from CIFv2.