ypsilon: Automated Use Case Testing
ypsilon
Automated Use Case Testing
Ypsilon is an Automated Security Use Case Testing Environment using real malware to test SIEM use cases in a closed environment. Different tools such as Ansible, Cuckoo, VirtualBox, Splunk, and ELK are combined to determine the quality of a SIEM use case by testing any number of malware against a SIEM use case. Finally, a test report is generated giving insight into the quality of a use case.
Cuckoo in combination with VirtualBox is used to analyze the malware and test the use cases. The Cuckoo environment consists of analysis virtual machine, which will be infected by malware, and a SIEM virtual machine, which collects the logs and triggers the use cases. At the moment, only Splunk is supported as SIEM solution but supporting further SIEMs such as ELK is planned. Sigma is used as the generic description language for SIEM solutions. Ansible is the heart of the Ypsilon project. Ansible controls the use case testing process consisting of the following steps:
- Generating a Splunk or ELK (planned) Use Case from the generic Sigma description language by using a Sigma converter.
- Preparing VirtualBox and Cuckoo
- Submitting a malware to Cuckoo
- Trigger the Use Case
- Revert the virtual machines to a snapshot
- Generate a report (in development)
Ypsilon is for Use Case development what Jenkins is for software development.
The Ypsilon project repository consists of the Ansible playbook, which controls the automated use case testing. Furthermore, the tools need to be configured as described in the wiki, in order to be able to control the tools.
Copyright (C) 2018 P4T12ICK
Source: https://github.com/P4T12ICK/
