matano icon indicating copy to clipboard operation
matano copied to clipboard

Published 20 hours ago verified publisher icon matanolabs

Out-of-the-Box Detection Rules in Matano

Open shaeqahmed opened this issue 2 years ago • 4 comments

We should include out-of-the-box detection rules in Matano so users do not have to start from scratch for detection engineering. Similar to other vendors like Elastic, Chronicle, etc. we should also include a set of open source detection rules in Matano OSS available for the community.

To get initial coverage, we can reference the rules that Sigma has and port them over to Matano's python based detection rule format. The matano sigma import tool will be useful here as well.

Detection rules to start with (popular ones from the managed log source we support):

  • [ ] AWS CloudTrail
  • [ ] Okta
  • [ ] GitHub
  • [ ] add more

Sigma rules repo: https://github.com/SigmaHQ/sigma/tree/master/rules

Phase 1

Lets add a folder into the matano monorepo called rules and start adding some useful detection rules similar to how we have them in example/detections, that the user can then copy into their matano to use.

Phase 2

Create a concept of "managed detection rules" that allows users to use Matano managed detection rules without copying them, and get updates while still being to extend/customize them in their environment. Design TBD

shaeqahmed avatar Feb 19 '23 01:02 shaeqahmed

We use gitlab, and I was in the process of building a triggered pipeline to add rules to our set when upstream sigma rules update. I should be able to commit the rules we've generated later this week (with a small run-this-to-update script). I'd also be happy to participate in the design discussions for Phase 2 whenever you have them.

grue avatar Feb 20 '23 16:02 grue

I'd be happy to contribute here. I have extensive experience working with the majority of the log sources you're supporting out the box. Let me know how I can help!

infosecB avatar Feb 23 '23 21:02 infosecB

I might take a crack at this, but an idea for Phase 2 could be to expose the managed detections as a Python Library (please forgive my very non-real world example with user agent)

import matano_detects.AWS_CLOUDTRAIL import root_account_login

exceptions = [ "I_AM_A_FALSE_POSITIVE" ]

def detect(event):
  return (
    root_account_login.rule(event) and
    event.deepget("useragent") not in exceptions
)

This would let more technical customers wrap your detections with environment specific logic, and just bump a python library version to take advantage of core logic improvements.

rileydakota avatar Jun 19 '23 23:06 rileydakota

Okta published some useful detections earlier this year in collaboration with Splunk, and these have since been extended by the Chronicle team. With details readily available, this would be a great addition to the out-of-the-box rules.

clintoncampbell avatar Sep 24 '23 22:09 clintoncampbell