Thanks for raising the point about building a DE framework around FOSS ! There's a lot of good stuff out there that can be coupled into something custom and efficient. Some field notes:
- For CI/CD, Threat Modelling, Threat Intelligence Ingestion, Detection Modelling, and the actual framework for developing in detection-as-code - OpenTIDE is at the moment the only FOSS option - if not you need to build everything from the ground up. https://code.europa.eu/ec-digit-s2/opentide/coretide. Disclaimer : I am the maintainer of OpenTIDE.
- I would not recommend The Hive as an OS project. In the past it was a very easy recommendation, but they went full commercial with version 5, and the open source project is now effectively abandoned. In Western EU (since the Hive was very very much a French/Belgium project), there has been interest to still develop a FOSS option, and there is https://dfir-iris.org/ as the main alternative. At this point however, I would probably recommend to use a ticketing interface and whatever low/no-code open source framework possible. There is also Tracecat as a open source/commercial option (https://tracecat.com/), or https://github.com/Admyral-Security/admyral. Still very early though. Catalyst SOAR is another option https://github.com/SecurityBrewery/catalyst, which looks very promising if a little light on the actual automation.
- If you recommend Elastic, I would then not necessarily point just to Sigma, but also to https://github.com/elastic/detection-rules . A lot of it should be good starting content, even if it's not as turn key as paying for Elastic SIEM and enabling them.
- If you need a single platform, it's hard not to recommend Security Onion. https://github.com/Security-Onion-Solutions/securityonion . It comes with so many tools in a single system AND it actually has a case management interface.
Thanks for raising the point about building a DE framework around FOSS ! There's a lot of good stuff out there that can be coupled into something custom and efficient. Some field notes:
- For CI/CD, Threat Modelling, Threat Intelligence Ingestion, Detection Modelling, and the actual framework for developing in detection-as-code - OpenTIDE is at the moment the only FOSS option - if not you need to build everything from the ground up. https://code.europa.eu/ec-digit-s2/opentide/coretide. Disclaimer : I am the maintainer of OpenTIDE.
- I would not recommend The Hive as an OS project. In the past it was a very easy recommendation, but they went full commercial with version 5, and the open source project is now effectively abandoned. In Western EU (since the Hive was very very much a French/Belgium project), there has been interest to still develop a FOSS option, and there is https://dfir-iris.org/ as the main alternative. At this point however, I would probably recommend to use a ticketing interface and whatever low/no-code open source framework possible. There is also Tracecat as a open source/commercial option (https://tracecat.com/), or https://github.com/Admyral-Security/admyral. Still very early though. Catalyst SOAR is another option https://github.com/SecurityBrewery/catalyst, which looks very promising if a little light on the actual automation.
- If you recommend Elastic, I would then not necessarily point just to Sigma, but also to https://github.com/elastic/detection-rules . A lot of it should be good starting content, even if it's not as turn key as paying for Elastic SIEM and enabling them.
- If you need a single platform, it's hard not to recommend Security Onion. https://github.com/Security-Onion-Solutions/securityonion . It comes with so many tools in a single system AND it actually has a case management interface.
- MISP is a fantastic project, but very hard to manage for many many teams. Most larger units will use a commercial TIP, which interfaces with MISP. Other FOSS TIPs like https://yeti-platform.io/ , https://github.com/OpenCTI-Platform/opencti or others may work better.
Thanks for highlighting all of these projects!
I have looked into Tracecat, it seems to be getting traction.
I will look into the ones I hadn't heard of yet.
Appreciate it