https://github.com/magier/dackel
Detection As Code for Kubernetes Events and Logs
https://github.com/magier/dackel
Last synced: 9 months ago
JSON representation
Detection As Code for Kubernetes Events and Logs
- Host: GitHub
- URL: https://github.com/magier/dackel
- Owner: Magier
- License: mit
- Created: 2024-11-29T20:05:46.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-12-23T20:37:56.000Z (over 1 year ago)
- Last Synced: 2025-09-11T19:34:11.863Z (10 months ago)
- Language: Python
- Homepage:
- Size: 72.3 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Dackel
Detection As Code for Kubernetes Events and Logs
 ([source](https://www.flaticon.com/de/kostenloses-icon/hund_4787302))
A Dackel is a German hound bred to find and chase burrow-dwelling animals. It's ideal to send down rabbit holes to surfaces suitable detections.
## Feature (Ideas)
- catalog of malware, lolbins, etc. relevant for K8s security
- Convert TI blog posts to Sigma/Yara rules
- Setup malware analysis environment
- Run malicious samples and record all syscalls, K8s Api requests, etc.
- Classify the observed telemetry
- use pysigma/ [sigconverter.io](https://sigconverter.io/) to generate K8s specific rules
- use vendor repositories as sources for useful Sigma/Yara rules
- generate (Sigma) correlations from atomic detection rules
- rate the detection rate (F1, confidence, [STP](https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/))
- differenaiate between basic (uninformed) detection rules and threat-/campaign- specific rules?