Metadata-Version: 2.1
Name: detect-droid
Version: 0.2.8
Summary: Detection Rules Optimisation Integration Deployment
Home-page: https://github.com/certeu/droid
Author: cert-eu/mlc
Author-email: services@cert.europa.eu
License: "EUPL-1.2"
Requires-Python: >=3.11.8
Description-Content-Type: text/markdown
License-File: LICENSE
License-File: NOTICE
Requires-Dist: PyYAML==6.0.1
Requires-Dist: pySigma==0.11.18
Requires-Dist: ruamel.yaml==0.18.1
Requires-Dist: azure-common==1.1.28
Requires-Dist: azure-core==1.30.1
Requires-Dist: azure-identity==1.16.1
Requires-Dist: azure-mgmt-core==1.4.0
Requires-Dist: azure-mgmt-monitor==6.0.2
Requires-Dist: azure-mgmt-resource==23.0.1
Requires-Dist: azure-mgmt-resourcegraph==8.0.0
Requires-Dist: azure-mgmt-securityinsight==2.0.0b2
Requires-Dist: azure-monitor-query==1.3.0
Requires-Dist: splunk-sdk==2.0.1
Requires-Dist: colorama==0.4.6
Requires-Dist: python-json-logger==2.0.7
Requires-Dist: elasticsearch==8.14.0
Requires-Dist: requests==2.32.3

# droid

`droid` is a PySigma wrapper allowing an easy adoption of [Sigma](https://sigmahq.io/) and helps enabling Detection-As-Code. The ultimate goal of `droid` is to consume a repository Sigma rules and deploy them on one or multiple platform (SIEM/EDR). The tool also supports plain SIEM/EDR search queries.

![droid workflow](./resources/droid_workflow.png)

## 🚀 Features

Key features are:

1. **Validate** the syntax of Sigma rules
2. **Convert** them by applying a set of transforms per log source and platform
3. **Search** in logs and report on findings
4. **Test** the rules by leveraging Atomic Red Team™ (work in progress)
5. **Deploy** them with any compatible SIEM and EDR (.e.g. Splunk, Microsoft Sentinel)

## 🚂 Get started

To get started with the tool, visit the [documentation page](https://certeu.github.io/droid-docs/getting-started/) and configure `droid` for your environment.

## 📚 Resources

- [Sigma Unleashed: A Realistic Implementation](https://www.first.org/resources/papers/conf2024/1315-1350-Sigma-Unleashed-Mathieu-Le-Cleach.pdf)

## License

Licensed under the EUPL.
