Search, create, and tune Elasticsearch SIEM detections from Slack, CLI, or Web
| src | ||
| .gitignore | ||
| fylgja-cli | ||
| fylgja-cli.md | ||
| fylgja.example.yml | ||
| package-lock.json | ||
| package.json | ||
| README.md | ||
| requirements.txt | ||
| slack.example.yml | ||
fylgja
Manage your Elastic Stack threat detection ruleset through a Slack frontend
Features
- Sigma integration:
- Imports the Sigma rule repository to an SQLite database
- Search rules by keyword
- Convert rules into SIEM format
- Upload generated rules to Elastic
- All without leaving the Slack channel!
Setup
Clone Repo
git clone https://codeberg.org/charlottecroce/fylgja.git
cd fylgja/
Install requirements
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
Install sigma-cli elasticsearch plugin
sigma plugin install elasticsearch
Create the database
npm run update-db
YAML Configuration
- Copy the example config:
cp fylgja.example.yml fylgja.yml - Edit
fylgja.ymland replace the placeholder values with your real API keys
Slack Configuration
- Copy the example config:
cp slack.example.yml slack.yml - Edit
slack.ymland replace the placeholder values with your real server domain name
This should probably be all included in a setup script or something
Important
While detection rules are stored in Elasticsearch, in my case, they are managed through the Kibana API. This has not been tested on other frontend APIs.