Automatic detection engineering technical state compliance
Automata is a tool to detect errors early and measure the Effectiveness of SIEM rules against the behaviors that the rule was developed to work against, ensuring that the whole process of data collection, parsing, and query of security data is working properly and alert when things don't work as intended.
Read more about Automata in our introductory blog post.
@_w0rk3r and @heyibrahimkhan are the primary authors of Automata.
Security monitoring has a challenge that is hard to overcome. Changes occur daily in a modern enterprise, and some are not that well managed, and if they are internal, service teams aren't involved most of the time.
Some common examples are:
Change in log formats
The monitored system doesn't have the required configurations applied.
Software Bugs
Once a problem is identified early, SOC teams can fix these problems before this impacts the detection and response program.
This project uses:
To get started, you need to setup a config.py
in the utils directory, based on the example config and modify the following variables:
CALDERA_URL
: The URL of the Caldera ServerCALDERA_API_KEY
: The API Key for Calderadeployment_type
: The Deployment Type. possible values: "onprem", "cloud"Variables that should be set if using Elastic Cloud
kibana_host
: The URL to Kibanacloud_id
: Elastic Cloud IDVariables that should be set if using Elastic on-prem
kibana_onprem
: The URL to On-prem Kibanaelasticsearch_onprem
: The URL to On-Prem ElasticsearchPassword Variables:
http_auth_user
: Elastic Userhttp_auth_pass
: Elastic PasswordIn the example below we'll task Automata with the goal of validating an AWS S3 detection, where logging on a bucket is disabled:
There are currently two modes of execution: Batch
and Concurrent
.
Batch
executes a list of abilities, one by one.Concurrent
executes a list of abilities concurrently.Required params:
-t
: The Target Caldera Agent-rf
: The relations file containg the ruleid to abilityid links-b
: Batch Mode SwitchExample:
python .\main.py -t rkersr -rf .\relations.json -b
Required params:
-bc
: Switch that enables "Concurrent" execution type.-t
: The Target Caldera Agent-rf
: The relations file containg the ruleid to abilityid linksExample:
python .\main.py -t hvozis -rf .\relations.json -bc
Automata generates a PDF report as well as a CSV file with the results of its last execution. By default these files will be stored in the directory where you ran Automata. You can specify a different output directory using the -o
switch.
Found this interesting? Have a question/comment/request? Let us know!