Anwesh-Mahapatra/detection-rules

# 检测规则 Sigma 检测规则，支持自动转换并部署到 Splunk。 作为在搭载 Proxmox VE 的 Dell PowerEdge R720 上运行的家庭 SOC 实验室的一部分构建。 ## 仓库结构 ``` detection-rules/ │ ├── rules/ # Sigma rules organized by platform and tactic │ ├── windows/ │ │ ├── process_creation/ # Sysmon EventCode 1 │ │ ├── registry/ # Sysmon EventCode 12, 13, 14 │ │ ├── network/ # Sysmon EventCode 3, 22 │ │ ├── credential_access/ # LSASS access, Mimikatz, etc. │ │ ├── defense_evasion/ # Log clearing, timestomping │ │ ├── persistence/ # Run keys, scheduled tasks │ │ ├── lateral_movement/ # PsExec, WMI, RDP │ │ ├── discovery/ # System info, network enumeration │ │ └── exfiltration/ # DNS tunneling, large transfers │ ├── cloud/ │ │ └── aws/ # AWS CloudTrail detections │ └── linux/ # Linux syslog detections │ ├── scripts/ │ ├── sigma2splunk.py # Converts Sigma to SPL, tests against live Splunk │ └── deploy_to_splunk.py # Deploys rules as Splunk saved searches via REST API │ ├── splunk/ │ └── savedsearches/ # Auto-generated SPL files (created by CI/CD) │ ├── tests/ # Atomic Red Team test procedure mappings │ ├── .github/ │ └── workflows/ │ └── deploy-detections.yml # CI/CD: auto-converts and deploys on push │ └── docs/ # Additional documentation ``` ## 流水线 ``` Write Sigma Rule ──> Test Locally ──> Push to GitHub ──> Auto-Deploy to Splunk (YAML) (sigma2splunk.py) (git push) (GitHub Actions + REST API) │ │ ▼ ▼ Splunk validates Saved Search created Shows hits or (runs every 5 minutes) suggests field fixes │ ▼ Alert fires ──> n8n webhook │ ▼ TheHive case created ``` ## 使用工具 | 工具 | 用途 | |------|---------| | [Sigma](https://github.com/SigmaHQ/sigma) | 检测规则标准格式 | | [pySigma](https://github.com/SigmaHQ/pySigma) | 规则转换引擎 | | [Splunk Free](https://www.splunk.com) | SIEM - 日志分析与检测 | | [Grafana + Loki](https://grafana.com) | 仪表盘与日志可视化 | | [TheHive](https://thehive-project.org) | 案件管理 | | [Cortex](https://thehive-project.org) | IOC 富化 (VirusTotal, AbuseIPDB) | | [n8n](https://n8n.io) | SOAR 自动化 | | [CALDERA](https://caldera.mitre.org) | 对手模拟 (MITRE) | | [Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) | 技术层级的测试 | | [Stratus Red Team](https://github.com/DataDog/stratus-red-team) | 云 (AWS) 攻击模拟 | ## 快速入门 ### 前置条件 - Python 3.10+ - 已安装 pySigma 和 Splunk backend： ``` pip install pySigma pySigma-backend-splunk pySigma-pipeline-sysmon PyYAML requests ``` ### 转换并测试单个规则 ``` python scripts/sigma2splunk.py rules/windows/process_creation/powershell_suspicious.yml ``` ### 转换并测试所有规则 ``` python scripts/sigma2splunk.py --test-all ``` ### 仅转换 (跳过 Splunk 测试) ``` python scripts/sigma2splunk.py rules/windows/ --no-test ``` ### 搜索更宽的时间范围 ``` python scripts/sigma2splunk.py rules/windows/credential_access/lsass_access.yml --earliest=-7d ``` ## 实验室架构 ``` ┌──────────────────────────────────────────────────────────┐ │ Proxmox VE — Dell PowerEdge R720 │ │ 32 threads | 32GB RAM | ZFS RAIDZ1 │ ├──────────────────────────────────────────────────────────┤ │ │ │ VM 107 — soc-stack (Ubuntu 24.04) │ │ ├── Splunk Free :8000 │ │ ├── Grafana + Loki :3000 / :3100 │ │ ├── TheHive + Cortex :9000 / :9001 │ │ ├── n8n :5678 │ │ └── CALDERA :8888 │ │ │ │ VM 106 — Win11-Baseline (Victim) │ │ ├── Sysmon (SwiftOnSecurity config) │ │ ├── Splunk Universal Forwarder → soc-stack:9997 │ │ ├── Atomic Red Team │ │ └── CALDERA Sandcat Agent │ │ │ │ VM 100 — FlareVM (Analyst Workstation) │ │ ├── Git + SSH → GitHub │ │ ├── Python + pySigma │ │ └── sigma2splunk.py (writes + tests rules) │ │ │ └──────────────────────────────────────────────────────────┘ ``` ## 作者 **Anwesh** — 安全工程师 致力于构建检测工程作品集。专注于 SIEM、检测即代码和安全自动化。

标签：AMSI绕过, Atomic Red Team, AWS CloudTrail, Cloudflare, Conpot, DevSecOps, GitHub Actions, Home Lab, IP 地址批量处理, MITRE ATT&CK, PE 加载器, Proxmox VE, Python, Saved Searches, Sigma规则, SOC实验室, SOC自动化, Splunk REST API, SPL查询, Sysmon, Windows安全, YAML, 上游代理, 凭证访问, 发现, 威胁检测, 子域名变形, 安全信息与事件管理, 安全工程, 安全库, 安全规则转换, 安全运营, 扫描框架, 插件系统, 搜索引擎爬取, 数据泄露检测, 数据窃取, 无后门, 无线安全, 横向移动, 注册表监控, 特权提升, 目标导入, 私有化部署, 编程规范, 网络安全, 脚本开发, 自动化部署, 自动笔记, 逆向工具, 防御规避, 隐私保护