You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ypsilon is an Automated Security Use Case Testing Environment using real malware to test SIEM use cases in an closed environment. Different tools such as Ansible, Cuckoo, VirtualBox, Splunk and ELK are combined to determine the quality of a SIEM use case by testing any number of malware against a SIEM use case. Finally, a test report is generated giving insight to the quality of an use case.
Cuckoo in combination with VirtualBox is used to analyze the malware and test the use cases. The Cuckoo environment consists of analysis virtual machine, which will be infected by malware, and a SIEM virtual machine, which collects the logs and triggers the use cases. In the moment, only Splunk is supported as SIEM solution but supporting further SIEMs such as ELK is planned.
Sigma is used as the generic description language for SIEM solutions. Ansible is the heart of the Ypsilon project. Ansible controls the use case testing process consisting of the following steps:
Generating a Splunk or ELK (planned) Use Case from the generic Sigma description language by using a Sigma converter.
Preparing VirtualBox and Cuckoo
Submitting a malware to Cuckoo
Trigger the Use Case
Revert the virtual machines to a snapshot
Generate a report (in development)
Ypsilon is for Use Case development what Jenkins is for software development.
Ypsilon Project
The Ypsilon project repository consists of the Ansible playbook, which controls the automated use case testing. Furthermore, the tools needs to be configured as described in the wiki, in order to be able to control the tools.
Configuration
The configuration of the tools is described in the wiki.
Installation
The following tools need to be installed and configured: