We offer a fully hosted web version of SIEM Rules which includes many additional features over those in this codebase. You can find out more about the web version here.
An API that takes a file containing threat intelligence and turns it into a detection rule.
- User uploads files (these are typically threat intel reports)
- The file is converted to txt (using file2txt)
- User inputs processed by txt2detection
- Objects stored in ArangoDB using stix2arango / Postgres for non STIX objects
- Objects exposed via API
# clone the latest code
git clone https://github.com/muchdogesec/siemrulesSIEM Rules has various settings that are defined in an .env file.
To create a template for the file:
cp .env.example .envTo see more information about how to set the variables, and what they do, read the .env.markdown file.
sudo docker compose buildsudo docker compose upThe webserver (Django) should now be running on: http://127.0.0.1:8008/
You can access the Swagger UI for the API in a browser at: http://127.0.0.1:8008/api/schema/swagger-ui/
SIEM Rules is made up of different core external components that support most of its functionality.
Generally if you want to improve how SIEM Rules performs functionality, you should address the changes in;
- file2txt: converts the file into a markdown file (which is used to extract data from)
- txt2detection: turns the markdown file into detection rules / STIX objects
- stix2arango: manages the logic to insert the STIX objects into the database
For anything else, then the Obstracts codebase is where you need to be :)