diedromeo/Threat-Intel-Playbooks

GitHub: diedromeo/Threat-Intel-Playbooks

一个跨平台检测工程库,将公开威胁映射到 MITRE ATT&CK 并提供经过验证的多平台检测规则,帮助防御者快速部署可靠的威胁检测方案。

Stars: 0 | Forks: 0

![Threat-Intel-Playbooks](https://static.pigsec.cn/wp-content/uploads/repos/cas/83/83caea9aa5c8753cdd7758c001c4934c903f68494607ac120c85b3b9d0fb4b9d.svg) # Threat-Intel-Playbooks **一个检测工程库** — 便携且经过测试的检测内容,针对 公开披露的威胁,映射到 MITRE ATT&CK 并发布到每一个主流 平台。 ![License](https://img.shields.io/badge/License-MIT-00e5ff?style=flat-square) ![CI](https://img.shields.io/github/actions/workflow/status/diedromeo/Threat-Intel-Playbooks/ci.yml?style=flat-square&label=CI) ![MITRE ATT&CK](https://img.shields.io/badge/MITRE_ATT%26CK-mapped-8b949e?style=flat-square) ![SemVer](https://img.shields.io/badge/SemVer-2.0.0-ff2d78?style=flat-square)
## 🎯 这是什么 针对此项目组合中研究的漏洞提供厂商通用的检测方案。 每个 **playbook** 都捆绑了规则、所需的遥测数据、ATT&CK 映射、 误报说明以及验证指南 — 以便防御者能够部署、调优 并信任它。 ## 🧰 覆盖范围 | 平台 | 语言 / 格式 | 目录 | |----------|-------------------|-----------| | ![Sigma](https://img.shields.io/badge/Sigma-2088FF?style=flat-square) | 通用 SIEM (YAML) | `rules/sigma/` | | ![Suricata](https://img.shields.io/badge/Suricata-EF3B2D?style=flat-square) | 网络 IDS/IPS | `rules/suricata/` | | ![YARA](https://img.shields.io/badge/YARA-004C97?style=flat-square) | 文件/内存(视情况而定) | `rules/yara/` | | ![Splunk](https://img.shields.io/badge/Splunk-000000?style=flat-square&logo=splunk&logoColor=white) | SPL | `rules/splunk/` | | ![Sentinel](https://img.shields.io/badge/Sentinel-0078D4?style=flat-square&logo=microsoftazure&logoColor=white) | KQL | `rules/sentinel/` | | ![Elastic](https://img.shields.io/badge/Elastic-005571?style=flat-square&logo=elastic&logoColor=white) | EQL / Lucene | `rules/elastic/` | ## 🗂️ Playbook 结构(契约) ``` playbooks// ├── README.md # Threat summary, ATT&CK mapping, data sources ├── rules/ │ ├── sigma/ suricata/ yara/ │ ├── splunk/ sentinel/ elastic/ ├── attack-mapping.md # MITRE ATT&CK techniques + data components ├── false-positives.md # Tuning guidance └── validation.md # How the rule was tested (linked lab / replay) ``` ## ✅ 质量标准 - 每个 Sigma 规则均通过 `sigma-cli` / `pysigma` 验证。 - 每个规则都包含 ATT&CK 技术 ID 和数据源要求。 - 检测规则已在 [CVE-Labs-2025-2026](https://github.com/diedromeo/CVE-Labs-2025-2026) / [Purple-Team-Labs](https://github.com/diedromeo/Purple-Team-Labs) 对应的实验室中进行了验证 — 杜绝 “只写”(write-only)规则。 ## 🧭 状态 ⏳ Playbook 会随每个 CVE 实验室一起添加。请参阅 [CHANGELOG.md](CHANGELOG.md)。 ## 🧭 项目组合 属于 [`diedromeo`](https://github.com/diedromeo) 安全项目组合的一部分。 ## 📄 许可证 [MIT](LICENSE)
标签:Metaprompt, Reconnaissance, SIEM规则, YARA, 云资产可视化, 威胁情报, 安全, 开发者工具, 超时处理