48 lines
1.3 KiB
Markdown
48 lines
1.3 KiB
Markdown
|
|
# fylgja
|
|
Manage your Elastic Stack threat detection ruleset through a Slack frontend
|
|
|
|
## Features
|
|
- [Sigma](https://github.com/SigmaHQ/sigma) integration:
|
|
- Imports the Sigma rule repository to an SQLite database
|
|
- Search rules by keyword
|
|
- Convert rules into SIEM format
|
|
- Upload generated rules to Elastic
|
|
- All without leaving the Slack channel!
|
|
|
|
## Setup
|
|
### Clone Repo
|
|
```
|
|
git clone https://codeberg.org/charlottecroce/fylgja.git
|
|
cd fylgja/
|
|
```
|
|
### Install requirements
|
|
```
|
|
python3 -m venv .venv
|
|
source .venv/bin/activate
|
|
pip install -r requirements.txt
|
|
```
|
|
|
|
### Install sigma-cli elasticsearch plugin
|
|
```
|
|
sigma plugin install elasticsearch
|
|
```
|
|
|
|
### Create the database
|
|
```
|
|
npm run update-db
|
|
```
|
|
|
|
### YAML Configuration
|
|
- Copy the example config: `cp fylgja.example.yml fylgja.yml`
|
|
- Edit `fylgja.yml` and replace the placeholder values with your real API keys
|
|
|
|
### Slack Configuration
|
|
- Copy the example config: `cp slack.example.yml slack.yml`
|
|
- Edit `slack.yml` and replace the placeholder values with your real server domain name
|
|
|
|
> this should probably be all included in a setup script or something
|
|
|
|
> [!Important]
|
|
> While detection rules are stored in Elasticsearch, in my case, they are managed through the Kibana API. This has not been tested on other frontend APIs.
|
|
|