droid documentation

droid is a PySigma wrapper allowing an easy adoption of Sigma and helps enabling Detection-As-Code. The ultimate goal of droid is to consume a repository Sigma rules and deploy them on one or multiple platform (SIEM/EDR).

The tool also supports native SIEM/EDR search queries.

• Set up in few minutes

  ---

  Install detect-droid with pip and get up and running in minutes

  Getting started

• Enable automation

  ---

  Enable detection content versioning and take advantage of Sigma at scale

  Sigma Unleashed: A Realistic Implementation

• Made to measure

  ---

  Standardise the detection rules on your platforms, change the rules settings and more with few lines

  Configuration

• Open Source, EUPL

  ---

  droid is licensed under the EUPL and available on GitHub

  License

Features

Key features are:

1. Validate the syntax of Sigma rules
2. Convert them by applying a set of transforms per log source and platform
3. Search in logs and report on findings
4. Test the rules by leveraging Atomic Red Team™ (work in progress)
5. Deploy them with any compatible SIEM and EDR

Supported SIEM/EDR

Info

See the list of supported platforms (SIEM/EDR) here.