Skip to main content

Python library and command line tool hunting in ACE ecosystems.

Project description

ace-hunter

ace-hunter is primarily a command line tool for performing hunt validation in ACE environments. It's derived directly from the ACE Hunting System and can serve has a drop in replacement with some small changes to the ACE Hunting System.

Splunk hunts are the only hunts currently supported.

Install

pip install ace_hunter

You could also git clone this repo and python3 setup.py install inside whatever python environment you wish. NOTE: I've only tested this in python3.9 but it should work for python>=3.7.

CLI Tool

A tool called hunt is made available on the command line after install. For legacy reasons the tool can also be found under ace-hunt.

$ hunt -h
usage: hunt [-h] [-d] {list-types,lt,list,l,verify,v,execute,e,config-query,cq,configure,c} ...

A hunting tool for ACE ecosystems.

positional arguments:
  {list-types,lt,list,l,verify,v,execute,e,config-query,cq,configure,c}
    list-types (lt)     List the types of Hunts configured.
    list (l)            List the available hunts. The format of the output is E|D type:name - description E: enabled D: disabled
    verify (v)          Verifies that all configured hunts are able to load.
    execute (e)         Execute a hunt with the given parameters.
    config-query (cq)   Query the Hunter configuration.
    configure (c)       Configure Hunter requirements.

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           Turn on debug logging.

Configure

You will need to configure ace-hunter to work with your Splunk environment, your splunk hunt rules, and optionally your ACE environment.

Configuration items can be overridden on a system and user level. Config items take the following precedence, where items found later override earlier ones:

  1. Built in defaults.
  2. ACE settings at /opt/ace/etc/saq.hunting.ini.
  3. System level settings at /etc/ace/hunting.ini.
  4. User level settings at ~/.config/ace/hunting.ini.
  5. Special Environment Variables

Most of the ace-hunter configuration flexibility is so it may be dropped directly into ACE or for later convenience as much lighter ace-hunting docker container.

Basic CLI Hunting Configuration

Below is an example of the minimum requirements for Splunk hunting with ace-hunter.

[splunk]
; ex. uri = https://your.splunk.address
uri = 
; timezone of your splunk server. ex: US/Eastern
timezone = 
username = 
password = 
; Can supply path to CA cert, yes for using system certs, no to turn off.
ssl_verification =
 
[SSL]
; SSL section is for submitting results to ACE.
; The ca_chain_path will be attempted if supplied.
; Next, systems certs used unless verify_ssl set to False.
verify_ssl = 
ca_chain_path = 
 
[hunt_type_splunk]
; Optionally specify the base location all rule directories
; will be relative to.
; Example showing that current user references will be expanded:
;detection_dir = ~/detections
; This is for convenience. SAQ_HOME or other settings can also be used.
detection_dir = 
; Comma sep list pointing to your different splunk rule dirs.
rule_dirs = hunts/splunk/hippo,hunts/splunk/cat

Easy User Level Configuration

You can easily override whatever config settings you need with the hunt configure API.

Ex: save your rules directories:

➜ hunt configure hunt_type_splunk.rule_dirs -v 'hunts/splunk/hippo,hunts/splunk/cat' 
2022-02-04 14:49:23 MacBook-Pro ace_hunter.config[1141] INFO saving passed value to hunt_type_splunk.rule_dirs to /Users/sean/.config/ace/hunting.ini
2022-02-04 14:49:23 MacBook-Pro ace_hunter.config[1141] INFO saved configuration to: /Users/sean/.config/ace/hunting.ini

Ex: save your password:

➜ hunt configure splunk.password
Enter value for splunk.password: 
2022-02-04 14:50:56 MacBook-Pro ace_hunter.config[1565] INFO saving passed value to splunk.password to /Users/sean/.config/ace/hunting.ini
2022-02-04 14:50:56 MacBook-Pro ace_hunter.config[1565] INFO saved configuration to: /Users/sean/.config/ace/hunting.ini

If the hunt tool creates or edits the user level config at ~/.config/ace/hunting.ini the file will be made RW for the current user only.

TODO

  • Allow proxy settings to be configurable for flexibility. Use use environment variables as needed for now.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ace-hunter-1.0.2.tar.gz (32.8 kB view details)

Uploaded Source

Built Distribution

ace_hunter-1.0.2-py3-none-any.whl (35.0 kB view details)

Uploaded Python 3

File details

Details for the file ace-hunter-1.0.2.tar.gz.

File metadata

  • Download URL: ace-hunter-1.0.2.tar.gz
  • Upload date:
  • Size: 32.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.55.1 CPython/3.9.5

File hashes

Hashes for ace-hunter-1.0.2.tar.gz
Algorithm Hash digest
SHA256 1e9afe59e8a8cab6f2b183c5a676bd457dd05753c28115aedefa0a02832bc754
MD5 bdf3b133a333eb3702f5f072d35d83cd
BLAKE2b-256 4642e0eae55ead5d8139c45725e08e768aa2f05ee37895065593cb0174bcf336

See more details on using hashes here.

File details

Details for the file ace_hunter-1.0.2-py3-none-any.whl.

File metadata

  • Download URL: ace_hunter-1.0.2-py3-none-any.whl
  • Upload date:
  • Size: 35.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.10.0 pkginfo/1.8.2 requests/2.25.1 requests-toolbelt/0.9.1 tqdm/4.55.1 CPython/3.9.5

File hashes

Hashes for ace_hunter-1.0.2-py3-none-any.whl
Algorithm Hash digest
SHA256 544de4fef734abf05e08656af755f0781162dc633e6a461def612778a706b5cc
MD5 353e0e6c2b283142db1f22b37ac51eeb
BLAKE2b-256 91152bc96ef070966c932bf5519153f5ca568c1e24df376760291e8736128340

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page