search

matanolabs / matano

Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
https://matano.dev
Apache License 2.0
1.4k stars 97 forks source link

Out-of-the-Box Detection Rules in Matano #97

Open shaeqahmed opened 1 year ago

shaeqahmed commented 1 year ago

We should include out-of-the-box detection rules in Matano so users do not have to start from scratch for detection engineering. Similar to other vendors like Elastic, Chronicle, etc. we should also include a set of open source detection rules in Matano OSS available for the community.

To get initial coverage, we can reference the rules that Sigma has and port them over to Matano's python based detection rule format. The matano sigma import tool will be useful here as well.

Detection rules to start with (popular ones from the managed log source we support):

Sigma rules repo: https://github.com/SigmaHQ/sigma/tree/master/rules

Phase 1

Lets add a folder into the matano monorepo called rules and start adding some useful detection rules similar to how we have them in example/detections, that the user can then copy into their matano to use.

Phase 2

Create a concept of "managed detection rules" that allows users to use Matano managed detection rules without copying them, and get updates while still being to extend/customize them in their environment. Design TBD

grue commented 1 year ago

We use gitlab, and I was in the process of building a triggered pipeline to add rules to our set when upstream sigma rules update. I should be able to commit the rules we've generated later this week (with a small run-this-to-update script). I'd also be happy to participate in the design discussions for Phase 2 whenever you have them.

infosecB commented 1 year ago

I'd be happy to contribute here. I have extensive experience working with the majority of the log sources you're supporting out the box. Let me know how I can help!

rileydakota commented 1 year ago

I might take a crack at this, but an idea for Phase 2 could be to expose the managed detections as a Python Library (please forgive my very non-real world example with user agent)

import matano_detects.AWS_CLOUDTRAIL import root_account_login

exceptions = [ "I_AM_A_FALSE_POSITIVE" ]

def detect(event):
  return (
    root_account_login.rule(event) and
    event.deepget("useragent") not in exceptions
)

This would let more technical customers wrap your detections with environment specific logic, and just bump a python library version to take advantage of core logic improvements.

clintoncampbell commented 9 months ago

Okta published some useful detections earlier this year in collaboration with Splunk, and these have since been extended by the Chronicle team. With details readily available, this would be a great addition to the out-of-the-box rules.