abhiiibabariya-dev/threat-intelligence-blueteam
GitHub: abhiiibabariya-dev/threat-intelligence-blueteam
一个社区驱动的蓝队综合运营平台,整合了多平台检测规则、威胁情报自动化工具和从零到精通的培训资源。
Stars: 0 | Forks: 0
# BlueShell // 威胁情报与蓝队运营平台
**[启动 BlueShell Web App](https://yourusername.github.io/threat-intelligence-blueteam/)** | **[在 GitHub 上查看](https://github.com/yourusername/threat-intelligence-blueteam)**
## 什么是 BlueShell?
BlueShell 是一个全面的、社区驱动的安全运营工具包,提供:
- **500+ 检测规则**,涵盖 14 个 SIEM 平台并映射到 MITRE ATT&CK
- **从零到精通的培训**,适用于所有 SIEM、EDR、XDR 和 SOAR 平台
- **自动化威胁情报获取器**,从 8 个 OSINT 源提取 IOC 并生成 SIEM 规则
- **黑客主题的 Web 界面**,带有终端模拟器、矩阵雨和实时威胁推送
- **蓝队资源**,包括 IR 手册、SOC 运行手册和威胁狩猎手册
## 在线 Web 应用
BlueShell 包含一个黑客主题的 Web 界面,具有:
- 带有扫描线效果的矩阵雨背景
- 交互式终端(输入 `help`、`siem`、`fetch`、`mitre`)
- 实时威胁推送模拟
- MITRE ATT&CK 覆盖热力图
- 所有内容的平台导航
**要在本地运行:**
```
cd /path/to/threat-intelligence-blueteam
python3 -m http.server 8080
# 打开 http://localhost:8080
```
**要在 GitHub Pages 上部署:**
1. 将此仓库推送到 GitHub
2. 前往 Settings > Pages
3. Source: 从 `main` 分支部署,文件夹 `/ (root)`
4. 你的站点将通过 `https://yourusername.github.io/threat-intelligence-blueteam/` 访问
## 平台覆盖范围
### SIEM 平台 (14) - 规则 + 培训
| 平台 | 规则 | 培训 | 查询语言 |
|----------|-------|----------|----------------|
| Splunk | 9 个 SPL 文件 + correlations + dashboards | 从零到精通 | SPL |
| Microsoft Sentinel | 6 个 KQL analytics + hunting queries | 从零到精通 | KQL |
| IBM QRadar | 5 个 AQL + XML correlations + reference sets | 从零到精通 | AQL |
| Elastic SIEM | 8 个 TOML + 4 个 EQL + dashboards | 从零到精通 | KQL / EQL |
| Google Chronicle | 5 条 YARA-L 规则 | 从零到精通 | YARA-L 2.0 |
| ArcSight ESM | XML correlation rules + FlexConnectors | 从零到精通 | CEF |
| FortiSIEM | XML detection rules | 从零到精通 | FortiSIEM QL |
| **Wazuh** | **10 个 XML 规则文件(90+ 条规则)** + decoders + active response | 从零到精通 | XML Rules |
| **Exabeam Fusion** | **7 个 YAML 规则文件** (UEBA 内部威胁) | 从零到精通 | Correlation YAML |
| **LogRhythm** | **7 个 YAML (AI Engine: statistical, behavioral, threshold, unique, trend)** | 从零到精通 | AI Engine |
| **Securonix** | **6 个 Spotter queries + 2 个 threat models** | 从零到精通 | Spotter |
| **McAfee ESM / Trellix** | **XML correlation rules** | 从零到精通 | ESM Rules |
| **LogPoint** | **6 个 LPQL query 文件** | 从零到精通 | LPQL |
| **Rapid7 InsightIDR** | **6 个 LEQL query 文件** | 从零到精通 | LEQL |
### EDR 平台 (4)
| 平台 | 内容 | 培训 |
|----------|---------|----------|
| CrowdStrike Falcon | Custom IOA rules (YAML) + FQL queries | 从零到精通 |
| Microsoft Defender for Endpoint | Custom detections (JSON) + KQL queries | 从零到精通 |
| SentinelOne | STAR rules (JSON) + Deep Visibility queries | 从零到精通 |
| Carbon Black | Watchlists + threat feeds | 从零到精通 |
### XDR 平台 (3)
| 平台 | 内容 | 培训 |
|----------|---------|----------|
| Palo Alto Cortex XDR | 20+ 条 XQL hunting queries | 从零到精通 |
| Microsoft 365 Defender | 20+ 条跨工作负载 KQL queries | 从零到精通 |
| Trend Micro Vision One | 10 个 detection models (YAML) | 从零到精通 |
### SOAR 平台 (7)
| 平台 | 内容 | 培训 |
|----------|---------|----------|
| Splunk SOAR | Python phishing playbook | 从零到精通 |
| Sentinel SOAR | Logic Apps 指南 | 从零到精通 |
| Palo Alto XSOAR | Playbook YAML + integration template | 从零到精通 |
| QRadar SOAR | Playbook 指南 | 从零到精通 |
| Shuffle (开源) | Wazuh integration workflows | 从零到精通 |
| TheHive + Cortex | Analyzer/responder templates | 从零到精通 |
| FortiSOAR | Playbook 指南 | 从零到精通 |
### AV / EPP
| 平台 | 内容 |
|----------|---------|
| Windows Defender AV | ASR rules 参考 + 培训 |
| EDR/XDR/AV | 对比矩阵 |
## 工具
### 威胁情报自动获取器
```
pip install -r tools/requirements.txt
# 从所有 OSINT feeds 获取 IOCs
python tools/threat-intel-fetcher.py --all --format json
# 从 IOCs 生成 SIEM rules
python tools/siem-rule-generator.py --input output/threat_intel.json --platforms all
```
**支持的源:** abuse.ch (URLhaus, MalwareBazaar, ThreatFox, FeodoTracker), AlienVault OTX, MITRE ATT&CK, NIST NVD, CISA KEV
**生成规则的平台:** 所有 14 个 SIEM 平台
## 蓝队资源
| 资源 | 描述 |
|----------|-------------|
| **规则创建指南** | Detection-as-code, Sigma format, testing, lifecycle, metrics |
| **IR 手册** | 8 个手册:Phishing, Ransomware, Data Breach, Insider Threat, DDoS, Supply Chain, Cloud, BEC |
| **告警分诊指南** | 5 分钟分诊框架,严重性矩阵,调查清单 |
| **SOC 运行手册** | 日常操作,交接班,hunting cadence,升级矩阵 |
| **威胁狩猎** | 12 个假设驱动手册及 SPL + KQL 查询 |
| **SOAR 对比** | 所有 7 个 SOAR 平台的并排对比矩阵 |
## 目录结构
```
blueshell/
├── index.html # Web app (GitHub Pages root)
├── css/hacker.css # Hacker terminal theme
├── js/app.js # Web app logic
├── tools/ # Automation tools
│ ├── threat-intel-fetcher.py # OSINT IOC fetcher
│ ├── siem-rule-generator.py # Multi-SIEM rule generator
│ └── feed-config.yaml # Feed configuration
├── siem-rules/ # 14 SIEM platforms
│ ├── splunk/ # SPL rules + training
│ ├── microsoft-sentinel/ # KQL rules + training
│ ├── ibm-qradar/ # AQL rules + training
│ ├── elastic-siem/ # TOML/EQL rules + training
│ ├── chronicle/ # YARA-L rules + training
│ ├── arcsight/ # XML rules + training
│ ├── fortisiem/ # XML rules + training
│ ├── wazuh/ # XML rules + decoders + training
│ ├── exabeam-fusion/ # YAML rules + training
│ ├── logrhythm/ # AI Engine rules + training
│ ├── securonix/ # Spotter queries + training
│ ├── mcafee-esm/ # XML correlation + training
│ ├── logpoint/ # LPQL queries + training
│ └── insightidr/ # LEQL queries + training
├── edr-rules/ # 4 EDR platforms
│ ├── crowdstrike-falcon/ # IOA rules + training
│ ├── microsoft-defender-endpoint/ # KQL + training
│ ├── sentinelone/ # STAR rules + training
│ ├── carbon-black/ # Watchlists + training
│ └── antivirus-epp/ # AV comparison + Windows Defender
├── xdr-rules/ # 3 XDR platforms
│ ├── palo-alto-cortex-xdr/ # XQL queries + training
│ ├── microsoft-365-defender/ # KQL queries + training
│ └── trend-micro-vision-one/ # Detection models + training
├── soar/ # 7 SOAR platforms
│ ├── splunk-soar/ # Python playbooks + training
│ ├── sentinel-soar/ # Logic Apps + training
│ ├── palo-alto-xsoar/ # YAML playbooks + training
│ ├── qradar-soar/ # Training
│ ├── shuffle-soar/ # Wazuh workflows + training
│ ├── thehive-cortex/ # Analyzers + training
│ ├── fortisoar/ # Training
│ └── general/ # SOAR comparison + fundamentals
├── blue-team-resources/ # SOC operations
│ ├── detection-engineering/ # Rule creation guide
│ ├── incident-response/ # 8 IR playbooks
│ ├── alert-triage/ # Triage methodology
│ └── soc-runbooks/ # Daily SOC operations
└── threat-intelligence/ # TI resources
├── ioc-management/ # IOC lifecycle guide
├── mitre-attack-mapping/ # Coverage matrix
└── threat-hunting/ # 12 hunting playbooks
```
## 许可证
本项目基于 MIT License 授权 - 详见 [LICENSE](LICENSE) 文件。
## 免责声明
所有内容均按原样提供,用于教育和操作参考。检测规则在生产部署前需要进行测试、验证和调优。作者对因使用此内容而产生的任何问题不承担责任。
**专为蓝队社区构建** | MITRE ATT&CK v15 | 186+ 文件 | 14 个 SIEMs | 4 个 EDRs | 3 个 XDRs | 7 个 SOARs
标签:AQL, ATT&CK覆盖, Cloudflare, EDR, Elastic SIEM, EQL, ESC4, GitHub Pages, Google Chronicle, Homebrew安装, HTML, HTTP工具, IBM QRadar, IP 地址批量处理, IR Playbooks, KQL, Microsoft Sentinel, MITRE ATT&CK, OSINT, PE 加载器, Python, SIEM规则, SOAR, SOC Runbooks, SPL, TOML, Web界面, YARA-L, 前端, 多模态安全, 威胁情报, 安全培训, 安全运营, 库, 应急响应, 开发者工具, 情报收集, 扫描框架, 数据可视化, 无后门, 无线安全, 检测规则, 漏洞研究, 热力图, 矩阵代码雨, 社区驱动, 终端模拟器, 网络信息收集, 网络威胁狩猎, 网络安全, 网络安全审计, 网络调试, 网络资产发现, 脆弱性评估, 自动化, 自定义脚本, 蓝军对抗, 逆向工具, 防守工具, 隐私保护