OSCD Sprint #2: How-To

Here you will find guidelines on how to get yourself prepared to the sprint, where to get required knowledge, how to pick up a task, and finally, share your work with the community.

Required Knowledge

Regardless of the topic you would like to work on, you will need to get yourself familiar with the GitHub flow:

- YouTube: How to Use the Github Workflow
- Official website: Understanding the GitHub flow
- Official website: Fork a repo
- Official website: About pull requests

Each task in the backlog has the required knowledge listed. You can find learning material to get the required knowledge in the following table:

Required Knowledge Sources
Sigma Rules - Sigma Rule Creation Guide
- Sigma Workshop Slides
- Sigma Workshop repository
Regexes - YouTube: Regex Tutorial
- Medium: Regex tutorial
Kibana queries - YouTube: Exploring data sets with Kibana
- Official website: Kibana Query Language
Splunk queries - YouTube: Basic Searching in Splunk
- Official website: Search Tutorial
Atomic Red Team tests - YouTube: Atomic Red Team Training - Basics and Beyond
- GitHub: Atomic Red Team Wiki
Python - Coursera: Getting Started with Python
- Codecademy: Python
- RapidAPI: Use API with Python
TheHive Responders - CortexDocs: Write and Submit a Responder
- Releasing My First TheHive Responde
- NVISO Labs: Creating TheHive Responders

How to pick up a task

If you would like to assign yourself to some of the tasks, you should comment on the GitHub Issue with a specific task (usually it has a number) you are going to solve. This way, the other participants will see that you will work on a particular task so they will do something different and not intersect with you.

How to check that you're not doing something that is already developed

Before you begin development, you need to double-check if the analytic you are going to develop (Sigma rule, Atomic test) is already present in the repository. You can use `grep` utility (on Linux/macOS) to search in the local clone of the repository:

$ grep -irH "executable name or other pattern" ./path/to/search/in

The same functionality for OS Windows with PowerShell:

> Get-ChildItem -recurse | Select-String -pattern "some.exe" | group path | select name

For example, you have an idea for a Sigma rule. A future detection rule will have a specific executable name in detection logic. The easiest way to check if such detection is present in the Sigma repository ruleset is to search for it through all the rules:

$ grep -irH "some.exe" ./sigma/rules


-i: case insensitive search
-r: recursive search (there are many directories under `rules` directory)
-H: show filename where the pattern was found

How to add your contribution for a review

Create one Pull Request for each of the developed analytics. For example, if you've developed two Atomic Red Team tests. You should create two Pull Requests for each of them. The same goes for Sigma rules.
You need to create your Pull Requests to the following branches:

- `oscd` branch for Sigma project
- `oscd` branch for Atomic Red Team
- `feature/oscd` branch for Cortex-Analyzers (TheHive Responders repo)

Your Pull Request will be reviewed and commented by coordinators of the sprint or authors of the projects.

Get in touch with the others

Join the discussion in the GitHub Issues / Pull Requests of the project of interest, or create a new Issue with your specific question.

Updates on progression

Subscribe for the email updates of the project of interest (Atomic Red Team, Sigma, Cortex-Analyzers — TheHive Responders repo), clicking the "Watch" button and choosing the "Watching (Be notified of all conversations)" option in the repository page on the GitHub.