Coder Social home page Coder Social logo

atc-data's Introduction

atc-data

The atc-data is a community-driven project designed to accumulate and describe specific data that is required by Security Operations, such as Threat Detection/Hunting and Incident Response.

It includes a description of event logs, network telemetry, data lists, and so on. And with that — a detailed description of what has to be configured and how the data has to be processed to be used in the Security Operations.

The main advantage of the project is a clear, exact definition of where specific data is required, whether it's a Detection Rule, Response Action, or Visualisation.

The main use cases:

  • Data collection prioritization. And with that — Threat Detection/Hunting and Incident Response capabilities development
  • Gap analysis — determine "coverage" of existing Threat Detection/Hunting and Incident Response capabilities, depending on data collected

The main resources:

Actionable Analytics

The ATC RE&CT project inherits the "Actionable Analytics" paradigm from the ATC project, which means that the analytics are:

  • human-readable (.md) for sharing/using in operations
  • machine-readable (.yml) for automatic processing/integrations
  • executable by Incident Response Platform (TheHive Case Templates only, at the moment)

Simply saying, the analytics are stored in .yml files, that are automatically converted to .md documents (with jinja) and .json TheHive Case Templates.

Data Needed

to be collected to produce detection of specific Threat

This entity expected to simplify communication with SIEM/LM/Data Engineering teams. It includes the next data:

  • Sample of the raw log to describe what data they could expect to receive/collect
  • Description of data to collect (Platform/Type/Channel/etc) — needed for calculation of mappings to Detection Rules and general description
  • List of fields also needed for calculation of mappings to Detection Rules and Response Playbooks, as well as for pivoting.csv generation

Response Action is a description of a specific atomic procedure/task that has to be executed during the Incident Response. It is an initial entity that is used to construct Response Playbooks.

Here is an example of Response Action:

Initial YAML file (click to expand)

The categorization aims to improve Incident Response process maturity assessment and roadmap development.

Logging Policies

need to be configured on data source to be able to collect Data Needed

This entity expected to explain SIEM/LM/Data Engineering teams and IT departments which logging policies have to be configured to have proper Data Needed for Detection and Response to specific Threat. It also explains how exactly this policy can be configured.

Enrichments

for specific Data Needed which required for some Detection Rules

This entity expected to simplify communication with SIEM/LM/Data Engineering teams. It includes the next data:

  • List of Data Needed which could be enriched
  • Description of the goal of the specific Enrichment (new fields, translation, renaming etc)
  • Example of implementation (for example, Logstash config)

This way you will be able to simply explain why you need specific enrichments (mapping to Detection Rules) and specific systems for data enrichment (for example, Logstash).

pivoting.csv

The atc-data generates pivoting.csv with a list of all fields (from Data Needed) mapped to description of Data Needed for very specific purpose — it provides information about data sources where some specific data type could be found, for example domain name, username, hash etc:

Example of lookup for "hash" field (click to expand)

At the same time it highlights which fields could be found only with specific enrichments:

Example of lookup for "ParentImage" field (click to expand)

Requirements

  • Python 3.7
  • PyYAML, mkdocs and jinja2 Python libraries. They could be installed with the following command: 
    python3 -m pip install -r requirements.txt

Contacts

Contributors

Would you like to become one? You are very welcome! Our CONTRIBUTING guideline is a good starting point.

Roadmap

The roadmap and related discussions could be found in the project issues.

License

See the LICENSE file.

atc-data's People

Contributors

bwc-tomw avatar mrblacyk avatar pjabes avatar sn0w0tter avatar yugoslavskiy avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.