Metadata-Version: 2.1
Name: detect-droid
Version: 0.1.3
Summary: Detection Rules Optimisation Integration Deployment
Home-page: https://github.com/certeu/droid
Author: cert-eu/mlc
Author-email: services@cert.europa.eu
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
License-File: NOTICE
Requires-Dist: PyYAML ==6.0.1
Requires-Dist: pySigma ==0.11.9
Requires-Dist: ruamel.yaml ==0.18.1
Requires-Dist: azure-common ==1.1.28
Requires-Dist: azure-core ==1.30.1
Requires-Dist: azure-identity ==1.16.1
Requires-Dist: azure-mgmt-core ==1.4.0
Requires-Dist: azure-mgmt-monitor ==6.0.2
Requires-Dist: azure-mgmt-resource ==23.0.1
Requires-Dist: azure-mgmt-resourcegraph ==8.0.0
Requires-Dist: azure-mgmt-securityinsight ==1.0.0
Requires-Dist: azure-monitor-query ==1.3.0
Requires-Dist: splunk-sdk ==2.0.1
Requires-Dist: colorama ==0.4.6
Requires-Dist: python-json-logger ==2.0.7

# droid

`droid` is a PySigma wrapper allowing an easy adoption of [Sigma](https://sigmahq.io/) and helps enabling Detection-As-Code. The ultimate goal of `droid` is to consume a repository Sigma rules and deploy them on one or multiple platform (SIEM/EDR).

The tool also supports plain SIEM/EDR search queries.

![droid workflow](./resources/droid_workflow.png)

## Features

Key features are:

1. **Validate** the syntax of Sigma rules
2. **Convert** them by applying a set of transforms per log source and platform
3. **Search** in logs and report on findings
4. **Test** the rules by leveraging Atomic Red Team™ (work in progress)
5. **Deploy** them with any compatible SIEM and EDR (.e.g. Splunk, Microsoft Sentinel)

## License

Licensed under the EUPL.
