College of Computing and Informatics
An Open-Source Endpoint Detection and Response system designed for low budget or minimal security resource organizations.
Organizations that don’t have a significant security budget can find it difficult to include workstations in their monitoring scope. Forwarding logs from all your workstations can be expensive because most SIEMs (Security Information and Event Management) are priced based on log ingestion and tools such as EDR (Endpoint Detection & Response) are just as expensive. This project aims to setup a series of scripts which will allow organizations who don’t have the ability to purchase or implement an enterprise solution the functionality of logging for their endpoints. This solution is aimed at devices running Windows as it relies on querying Windows events using power. The first aspect of this project is a rule repository where you can write Sigma rules to detect on process or network events on your endpoints. The Sigma rules will be translated to PowerShell rules on the rule repository server. Every day endpoints will reach out to the rule repository server to request any new PowerShell rules. On each endpoint there will be a script which reaches out to the rule repository and request any new rules. The rules will then be run to see if there is a matching Windows event. There are two types of rules: process detection rules and network detection rules. If the rule matches on a process event, then the script will gather forensics information about the specific process. If the rule matches on a network event, the script will gather forensics information about the network connection. The information gathered in the forensics phase will be written into a custom windows event. This event will contain all the information that you would want about the process or network connection. Now organizations can setup this one event to be forwarded to their SIEM solution, or event setup email or message alerts when these events fire.