rap1p1/detection-as-code
GitHub: rap1p1/detection-as-code
基于 ELK Stack 的多源日志检测工程实验室,集成 EQL/Sigma 规则、pytest 自动化测试、GitHub Actions CI 与告警富化通知,践行检测即代码工作流。
Stars: 0 | Forks: 0
# 多源日志流水线与检测即代码实验
一个生产级别的检测工程实验室,演示了多源日志摄取、ECS 规范化、带有自动化测试的检测即代码工作流程、告警富化以及 CI 集成。
## 架构
```
+-----------------+ +------------+ +------------------+ +---------+
| Windows Sysmon |---->| | | | | |
| (Winlogbeat) | | | | | | |
+-----------------+ | | | | | |
| Logstash |---->| Elasticsearch |---->| Kibana |
+-----------------+ | (ECS Map) | | (Storage) | | (UI) |
| Linux auth.log |---->| | | | | |
| Nginx access | | | | | | |
| (Filebeat) | | | | | | |
+-----------------+ | | +--------+---------+ +---------+
| | |
+-----------------+ | | v
| Mock Firewall |---->| | +--------+---------+
| (TCP/JSON) | +------------+ | Enrichment Script|
+-----------------+ | (Python) |
+--------+---------+
+------------------+ |
| GitHub Actions | v
| (CI: pytest) | +--------+---------+
+------------------+ | Telegram Notify |
| +------------------+
v
+------------------+
| rules/ + tests/ |
| (Detection-as- |
| Code repo) |
+------------------+
```
## 前置条件
- Docker 和 Docker Compose
- Python 3.10+
- Git
- (可选) 在安装了 Sysmon 的 Windows 主机上配置 Winlogbeat
## 快速开始
1. 克隆仓库:
git clone https://github.com//detection-as-code.git
cd detection-as-code
2. 启动 ELK stack:
docker-compose up -d
3. 验证服务是否正在运行:
- Elasticsearch: http://localhost:9200
- Kibana: http://localhost:5601
4. 安装 Python 依赖:
pip install -r scripts/requirements.txt
5. 运行检测规则测试:
pytest tests/ -v
## 仓库结构
```
detection-as-code/
├── .github/workflows/ GitHub Actions CI pipeline
│ └── validate-rules.yml
├── docker-compose.yml Docker Compose for ELK stack
├── logstash/
│ ├── pipelines.yml Multi-pipeline configuration
│ └── pipeline/
│ ├── 10-sysmon.conf Windows Sysmon ECS mapping
│ ├── 20-linux-auth.conf Linux auth.log parsing
│ ├── 30-nginx.conf Nginx access log parsing
│ └── 40-firewall.conf Firewall JSON log parsing
├── filebeat/
│ └── filebeat.yml Filebeat configuration
├── sample-logs/ Sample log data for testing
├── rules/
│ ├── eql/ EQL detection rules (TOML format)
│ └── sigma/ Sigma detection rules (YAML format)
├── tests/
│ ├── conftest.py Pytest fixtures
│ ├── test_rule_schema.py Schema validation tests
│ ├── test_eql_rules.py EQL rule functional tests
│ ├── test_sigma_rules.py Sigma rule functional tests
│ └── mock_data/ Test event data
├── scripts/
│ ├── enrich_alerts.py Alert enrichment (geo, threat intel)
│ ├── notify_telegram.py Telegram notification
│ └── requirements.txt Python dependencies
└── docs/
├── architecture.md Detailed architecture documentation
└── rule-development-guide.md Rule authoring guide
```
## 检测规则
### EQL 规则
EQL 规则采用 TOML 格式和结构化元数据:
| 规则 | MITRE ATT&CK | 严重性 | 日志源 |
|------|--------------|----------|------------|
| SSH 暴力破解 | T1110.001 | 高危 | Linux auth |
| Nginx SQL 注入 | T1190 | 高危 | Nginx |
| WMI 事件订阅持久化 | T1546.003 | 严重 | Sysmon |
| 可疑的出站连接 | T1571 | 中危 | Firewall |
### Sigma 规则
| 规则 | MITRE ATT&CK | 级别 | 日志源 |
|------|--------------|-------|------------|
| 可疑的 PowerShell 执行 | T1059.001 | 高危 | Windows Process Creation |
| 可疑的用户创建 + 登录 | T1136.001 | 高危 | Linux auth |
## 测试
所有检测规则都通过自动化测试进行验证,无需运行 Elasticsearch 实例:
- **Schema 校验**: 确保所有规则都具有必需的元数据字段、有效的 severity/status 枚举值、MITRE ATT&CK 映射以及唯一的 ID。
- **功能测试**: 针对模拟事件数据验证检测逻辑,同时检查真阳性检出和假阳性拒绝。
```
pytest tests/ -v
```
## CI 流水线
GitHub Actions 工作流在推送到 `rules/` 或 `tests/` 目录时触发,或针对这些目录发起 pull request 时触发。它会运行所有三个测试套件(schema、EQL、Sigma)并报告通过/失败状态。
## 告警富化
富化脚本会查询 Elasticsearch 中的近期告警,并添加:
- 通过 ip-api.com 获取 IP 地理位置(国家、城市、ISP)
- VirusTotal 信誉评分(可选,需要 API key)
- AbuseIPDB 滥用置信度评分(可选,需要 API key)
```
python scripts/enrich_alerts.py --index "logs-*" --minutes 60
python scripts/enrich_alerts.py --dry-run --index "logs-firewall-*" --minutes 30
```
## Telegram 通知
富化后的告警可以转发至 Telegram:
```
export TELEGRAM_BOT_TOKEN="your-bot-token"
export TELEGRAM_CHAT_ID="your-chat-id"
python scripts/notify_telegram.py --index "logs-*" --minutes 30
```
## 日志源与 ECS 映射
所有日志源均被规范化为 Elastic Common Schema (ECS):
| 来源 | 关键 ECS 字段 |
|--------|---------------|
| Sysmon | `process.executable`, `process.command_line`, `user.name`, `source.ip`, `destination.ip` |
| Linux auth | `source.ip`, `user.name`, `event.action`, `event.outcome` |
| Nginx | `source.ip`, `http.request.method`, `url.path`, `http.response.status_code` |
| Firewall | `source.ip`, `destination.ip`, `destination.port`, `network.transport`, `event.action` |
## 参考
- [MITRE ATT&CK 框架](https://attack.mitre.org/)
- [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/index.html)
- [Sigma 规范](https://github.com/SigmaHQ/sigma-specification)
- [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html)
- [Logstash 过滤器插件](https://www.elastic.co/guide/en/logstash/current/filter-plugins.html)
标签:Elastic Stack, 内容过滤, 安全规则引擎, 安全运营, 开源框架, 扫描框架, 持续集成, 流量重放, 版权保护, 请求拦截, 越狱测试, 逆向工具