# fylgja
Manage your Elastic Stack threat detection ruleset through a Slack frontend

## Features
 - [Sigma](https://github.com/SigmaHQ/sigma) integration:
   - Imports the Sigma rule repository to an SQLite database
   - Search rules by keyword
   - Convert rules into SIEM format
   - Upload generated rules to Elastic
 - All without leaving the Slack channel!

## Setup
### Clone Repo
```
git clone https://codeberg.org/charlottecroce/fylgja.git
cd fylgja/
```
### Install requirements
```
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
```

### Install sigma-cli elasticsearch plugin
```
sigma plugin install elasticsearch
```

### Create the database
```
npm run update-db
```

### YAML Configuration
- Copy the example config: `cp fylgja.example.yml fylgja.yml`
- Edit `fylgja.yml` and replace the placeholder values with your real API keys

### Slack Configuration
- Copy the example config: `cp slack.example.yml slack.yml`
- Edit `slack.yml` and replace the placeholder values with your real server domain name

> This should probably be all included in a setup script or something

> [!Important]
> While detection rules are stored in Elasticsearch, in my case, they are managed through the Kibana API. This has not been tested on other frontend APIs.