OSCD Sprint #2: How-To
Here you will find guidelines on how to get yourself prepared to the sprint, where to get required knowledge, how to pick up a task, and finally, share your work with the community.
Required Knowledge
Regardless of the topic you would like to work on, you will need to get yourself familiar with the GitHub flow:- YouTube: How to Use the Github Workflow
- Official website: Understanding the GitHub flow
- Official website: Fork a repo
- Official website: About pull requests
Each task in the backlog has the required knowledge listed. You can find learning material to get the required knowledge in the following table:
| Required Knowledge | Sources |
|---|---|
| Sigma Rules |
- Sigma Rule Creation Guide - Sigma Workshop Slides - Sigma Workshop repository |
| Regexes |
- YouTube: Regex Tutorial - Medium: Regex tutorial |
| Kibana queries |
- YouTube: Exploring data sets with Kibana - Official website: Kibana Query Language |
| Splunk queries |
- YouTube: Basic Searching in Splunk - Official website: Search Tutorial |
| Atomic Red Team tests |
- YouTube: Atomic Red Team Training - Basics and Beyond - GitHub: Atomic Red Team Wiki |
| Python |
- Coursera: Getting Started with Python - Codecademy: Python - RapidAPI: Use API with Python |
| TheHive Responders |
- CortexDocs: Write and Submit a Responder - Releasing My First TheHive Responde - NVISO Labs: Creating TheHive Responders |
How to pick up a task
If you would like to assign yourself to some of the tasks, you should comment on the GitHub Issue with a specific task (usually it has a number) you are going to solve. This way, the other participants will see that you will work on a particular task so they will do something different and not intersect with you.How to check that you're not doing something that is already developed
Before you begin development, you need to double-check if the analytic you are going to develop (Sigma rule, Atomic test) is already present in the repository. You can use `grep` utility (on Linux/macOS) to search in the local clone of the repository:| $ grep -irH "executable name or other pattern" ./path/to/search/in |
The same functionality for OS Windows with PowerShell:
| > Get-ChildItem -recurse | Select-String -pattern "some.exe" | group path | select name |
For example, you have an idea for a Sigma rule. A future detection rule will have a specific executable name in detection logic. The easiest way to check if such detection is present in the Sigma repository ruleset is to search for it through all the rules:
| $ grep -irH "some.exe" ./sigma/rules |
Where:
|
-i: case insensitive search -r: recursive search (there are many directories under `rules` directory) -H: show filename where the pattern was found |
How to add your contribution for a review
Create one Pull Request for each of the developed analytics. For example, if you've developed two Atomic Red Team tests. You should create two Pull Requests for each of them. The same goes for Sigma rules.You need to create your Pull Requests to the following branches:
- `oscd` branch for Sigma project
- `oscd` branch for Atomic Red Team
- `feature/oscd` branch for Cortex-Analyzers (TheHive Responders repo)
Your Pull Request will be reviewed and commented by coordinators of the sprint or authors of the projects.