Threatest is a Go framework for testing risk detection end-to-end.
Threatest lets you detonate an assault method, and confirm that the warn you anticipate was generated in your favourite safety platform.
Learn the announcement weblog publish: https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/
Ideas
Detonators
A detonator describes how and the place an assault method is executed.
Supported detonators:
- Native command execution
- SSH command execution
- Stratus Pink Staff
- AWS detonator
Alert matchers
An alert matcher is a platform-specific integration that may test if an anticipated alert was triggered.
Supported alert matchers:
Detonation and alert correlation
Every detonation is assigned a UUID. This UUID is mirrored within the detonation and used to make sure that the matched alert corresponds precisely to this detonation.
The way in which that is carried out relies on the detonator; as an illustration, Stratus Pink Staff and the AWS Detonator inject it within the user-agent; the SSH detonator makes use of a dad or mum course of containing the UUID.
Pattern utilization
See examples for full utilization instance.
Testing Datadog Cloud SIEM indicators triggered by Stratus Pink Staff
threatest := Threatest()threatest.State of affairs("AWS console login").
WhenDetonating(StratusRedTeamTechnique("aws.initial-access.console-login-without-mfa")).
Anticipate(DatadogSecuritySignal("AWS Console login with out MFA").WithSeverity("medium")).
WithTimeout(15 * time.Minute)
assert.NoError(t, threatest.Run())
Testing Datadog Cloud Workload Safety indicators triggered by working instructions over SSH
ssh, _ := NewSSHCommandExecutor("test-box", "", "")threatest := Threatest()
threatest.State of affairs("curl to metadata service").
WhenDetonating(NewCommandDetonator(ssh, "curl http://169.254.169.254 --connect-timeout 1")).
Anticipate(DatadogSecuritySignal("EC2 Occasion Metadata Service Accessed through Community Utility"))
assert.NoError(t, threatest.Run())
