Trendshift - Ask AI

base on PurpleLab is an efficient and readily deployable lab solution, providing a swift setup for cybersecurity professionals to test detection rules and undertake various security tasks, all accessible through a user-friendly web interface  <a id="readme-top"></a>  <div align="center"> <a href="https://github.com/Krook9d/PurpleLab"> <img src="/MD_image/Logotest.png" alt="Logo PurpleLab" width="400" height="400"/> </a>  [![Issues][issues-shield]][issues-url] [![MIT License][license-shield]][license-url] [![LinkedIn][linkedin-shield]][linkedin-url] [![Forks][forks-shield]][forks-url] [![Stargazers][stars-shield]][stars-url] A comprehensive cybersecurity lab for creating and testing detection rules, simulating attacks, and training analysts <a href="#installation">Get Started »</a> <a href="#usage">View Demo</a> · <a href="https://github.com/Krook9d/PurpleLab/issues">Report Bug</a> · <a href="https://github.com/Krook9d/PurpleLab/issues">Request Feature</a> </div>  <details> <summary>📋 Table of Contents</summary> <ol> <li><a href="#-what-is-purplelab">What is PurpleLab?</a></li> <li> <a href="#-installation-procedure">Installation</a> <ul> <li><a href="#requirements">Requirements</a></li> <li><a href="#installation">Installation Steps</a></li> <li><a href="#accounts">Accounts Setup</a></li> <li><a href="#elk-configuration">ELK Configuration</a></li> <li><a href="#vm-logs-configuration">VM Logs Configuration</a></li> </ul> </li> <li> <a href="#-usage">Usage</a> <ul> <li><a href="#home-page-">Home Page</a></li> <li><a href="#hunting-page-">Hunting Page</a></li> <li><a href="#mitre-attck-page-️">MITRE ATT&CK Page</a></li> <li><a href="#malware-page-">Malware Page</a></li> <li><a href="#sharing-page-️">Sharing Page</a></li> <li><a href="#sigma-page-️">Sigma Page</a></li> <li><a href="#health-page-">Health Page</a></li> <li><a href="#admin-page-">Admin Page</a></li> </ul> </li> <li><a href="#-splunk-app">Splunk App</a></li> <li><a href="#-cortex-analyzer">Cortex Analyzer</a></li> <li><a href="#-api-documentation">API Documentation</a></li> </ol> </details>  ## 🚀 What is PurpleLab ? **PurpleLab** is a comprehensive cybersecurity laboratory that enables security professionals to easily deploy an entire testing environment for creating and validating detection rules, simulating realistic attack scenarios, and training security analysts. ### 🏗️ Architecture Components The lab includes: - **🌐 Web Interface** - Complete frontend for controlling all features - **💻 VirtualBox Environment** - Ready-to-use Windows 10 VM with forensic tools - **⚙️ Flask Backend** - Robust API and application logic - **🗄️ PostgreSQL Database** - Secure data storage - **🔍 Opensearch Server** - Advanced log analysis and search capabilities (<a href="#readme-top">⬆️ back to top</a>)  ## 🔧 Installation procedure > ⚠️ **Important**: For a completely clean installation, follow ALL chapters of the installation procedure from requirements to accounts configuration. > ⚠️ **Security Notice**: This lab has not been hardened and runs with basic credentials. Do not connect it to production networks or secure it with proper PKI and authentication systems. ### Requirements **Minimum Hardware Resources:** - **Storage**: 200GB available space - **CPU**: 8 cores minimum - **RAM**: 13GB minimum **Software Requirements:** - Clean installation of **Ubuntu Server 22.04** - [Download Here](https://ubuntu.com/download/server?ref=linuxhandbook.com) > ⚠️ **Note**: Ubuntu Server 23.10 may cause issues with Python library installation. **⚠️ Hardware Virtualization Setup:** <details> <summary>Click to expand virtualization setup instructions</summary> **VMware Workstation:** 1. Go to VM settings → Processors → Virtualization engine 2. Enable "Virtualize Intel VT-x/EPT or AMD-V/RVI" **VirtualBox:** 1. Select VM → Right-click → Settings → System → Processor 2. Check "Enable Nested VT-x/AMD-V" **Physical Machine (Host):** 1. Access BIOS/UEFI settings 2. Enable hardware virtualization (VT-x/AMD-V) 3. Save changes and restart </details> **Download Repository:** ```bash git clone https://github.com/Krook9d/PurpleLab.git && mv PurpleLab/install.sh . ``` (<a href="#readme-top">⬆️ back to top</a>) ### Installation Execute the installation script: ```bash sudo bash install.sh ``` During installation, you'll be prompted to: 1. **ELK Installation**: Choose whether to install the default ELK SIEM 2. **Network Interface**: Select the network interface for the application > ⚠️ **Warning**: If you skip ELK installation, PHP errors will appear on the home page. (<a href="#readme-top">⬆️ back to top</a>) ### Accounts #### 👤 Admin Account A default admin account is automatically created and stored in `~/admin.txt` with the format: ``` [email protected]:password ``` #### 👥 User Account Setup 1. **Access the application** using your server's IP address 2. **Click "Register"** button 3. **Fill required fields:** - **First Name**: Your first name - **Last Name**: Your last name - **Analyst Level**: Your analyst level (N1/N2/N3) - **Avatar**: Select an avatar (< 1MB) - **Password**: Must contain at least 8 characters with uppercase, lowercase, number, and special character (<a href="#readme-top">⬆️ back to top</a>) ### ELK Configuration 1. **Generate enrollment token:** ```bash sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana ``` 2. **Navigate to "Hunting" page** and paste the token 3. **Get verification code:** ```bash sudo /usr/share/kibana/bin/kibana-verification-code ``` **Troubleshooting:** If token submission fails, restart Elasticsearch: ```bash service elasticsearch restart ``` (<a href="#readme-top">⬆️ back to top</a>) ### VM logs configuration 1. **Connect to the VM** (IP available on health page): ```bash sudo VBoxManage guestproperty get sandbox "/VirtualBox/GuestInfo/Net/0/V4/IP" ``` 2. **Edit winlogbeat configuration** at `C:\Program Files\winlogbeat\winlogbeat.yml`: - Update password field with elastic superuser password from `admin.txt` - Replace all IP addresses (192.168.142.130) with your ELK server IP - Update `ca_trusted_fingerprint` with the output from: ```bash sudo openssl x509 -fingerprint -sha256 -in /etc/elasticsearch/certs/http_ca.crt | awk -F '=' '/Fingerprint/{print $2}' | tr -d ':' ``` 3. **Test configuration** (Admin PowerShell): ```powershell cd 'C:\Program Files\winlogbeat' & "C:\Program Files\Winlogbeat\winlogbeat.exe" test config -c "C:\Program Files\Winlogbeat\winlogbeat.yml" -e ``` 4. **Setup assets:** ```powershell .\winlogbeat.exe setup -e ``` 5. **Create snapshot** after VM restart: ```bash sudo VBoxManage snapshot "sandbox" take "Snapshot1" --description "snapshot before the mess" ``` (<a href="#readme-top">⬆️ back to top</a>)  ## 💡 Usage **Start the Flask server:** ```bash sudo python3 /home/$(logname)/app.py ``` **Ensure VM is running:** ```bash sudo VBoxManage showvminfo sandbox --machinereadable | grep "VMState=" | awk -F'"' '{print $2}' ``` **Start VM if needed:** ```bash sudo VBoxManage startvm sandbox --type headless ``` ### 🪟 Windows 10 Sandbox VM The VM includes pre-installed tools: - **Browser** for web-based activities - **Atomic Red Team modules** for attack simulation - **LibreOffice** for document-based attacks (<a href="#readme-top">⬆️ back to top</a>) ### Home Page 🏠 The dashboard displays key performance indicators from Elasticsearch: - **Event Count** from Windows machine - **Unique IP Addresses** detected in logs - **MITRE ATT&CK** techniques and sub-techniques count - **Log Distribution** from VM collection <img src="/MD_image/home_page.png" width="800" alt="Home Page Dashboard"> (<a href="#readme-top">⬆️ back to top</a>) ### Hunting Page 🎯 Direct access to **Kibana server** for log analysis. Navigate to **Discover** to examine: - VM logs and events - Simulated log data - Real-time security events (<a href="#readme-top">⬆️ back to top</a>) ### Mitre Att&ck Page 🛡️ Interactive MITRE ATT&CK framework interface for: **🔍 Technique Discovery:** - Search using technique IDs (e.g., "T1070") - Browse sub-techniques and detailed information - Access comprehensive technique documentation **⚡ Payload Execution:** - Execute Atomic Red Team payloads - Simulate real attack scenarios - Generate detection-worthy events **📊 Database Management:** - Update MITRE ATT&CK database with latest data - Maintain current threat intelligence > **Reference**: [Atomic Red Team Tests](https://www.atomicredteam.io/atomic-red-team/docs) <img src="/MD_image/mitre.png" width="800" alt="MITRE ATT&CK Interface"> (<a href="#readme-top">⬆️ back to top</a>) ### Malware Page 🦠 Comprehensive malware management platform with dual functionality: #### 📥 Malware Downloader - **Search & Download**: Enter malware types (e.g., "Trojan") - **Auto-Integration**: Automatically uploads to Windows VM - **Batch Processing**: Downloads 10 latest samples from [Malware Bazaar](https://bazaar.abuse.ch) - **Execution Control**: Run malware with single-click execution #### 📤 Malware Uploader - **Custom Uploads**: Upload your own executables and scripts - **Supported Formats**: `.exe`, `.dll`, `.bin`, `.py`, `.ps1` - **Inventory Management**: List and manage uploaded malware > **Storage Location**: `/var/www/html/Downloaded/malware_upload/` <img src="/MD_image/malware.png" width="800" alt="Malware Management Interface"> (<a href="#readme-top">⬆️ back to top</a>) ### Sharing Page ✏️ Collaborative knowledge sharing platform: - **Query Sharing**: Publish effective detection queries - **Rule Exchange**: Share custom detection rules - **Community Benefit**: Learn from other analysts' discoveries <img src="/MD_image/sharing.png" width="800" alt="Knowledge Sharing Platform"> (<a href="#readme-top">⬆️ back to top</a>) ### Sigma Page 🛡️ Advanced Sigma rule management: #### 🔍 Search Capabilities - **Keyword Search**: Find rules by technique IDs or keywords (e.g., "powershell") - **Rule Display**: View complete Sigma rule details - **Format Conversion**: Convert rules to Splunk or Lucene syntax #### 🔄 Conversion Features - **Splunk Format**: One-click conversion to Splunk queries - **Lucene Format**: Transform to Elasticsearch-compatible syntax <img src="/MD_image/sigma.png" width="800" alt="Sigma Rule Management"> (<a href="#readme-top">⬆️ back to top</a>) ### Health Page 🩺 Comprehensive system monitoring dashboard: #### 🖥️ Component Status - **Opensearch Dashboard** - Web interface status - **Postgres** - Database - **Opensearch** - Search engine status - **VirtualBox** - Virtualization platform - **Flask Backend** - Application server #### 📊 Resource Monitoring - **RAM Usage** - Memory utilization - **Disk Usage** - Storage consumption #### 🔧 VM Management - **Status Monitoring** - Current VM state - **IP Information** - Network configuration - **Snapshot Control** - Restore points management > **Note**: Snapshot restoration may show errors even when successful - verify by connecting to the VM. <img src="/MD_image/health_page.png" width="800" alt="System Health Dashboard"> (<a href="#readme-top">⬆️ back to top</a>) ### Admin Page 🔐 Administrative control center for system configuration: #### 🔑 Key Features - **LDAP Configuration**: Centralized authentication setup - **API Key Generation**: Secure API access management - **System Settings**: Core configuration management #### 🔐 Access Requirements Login with administrator account: `[email protected]` <img src="/MD_image/admin.png" width="800" alt="Administration Panel"> (<a href="#readme-top">⬆️ back to top</a>)  ## 🔌 Splunk App **Repository**: [TA-Purplelab-Splunk](https://github.com/Krook9d/TA-Purplelab-Splunk) ### Features - **🚀 Atomic Red Team Integration**: Execute tests directly from Splunk - **🔍 Threat Hunting Dashboard**: Dedicated hunting interface - **🔗 Seamless Integration**: Easy PurpleLab-Splunk connectivity ### Demo [![Splunk Integration Demo](https://github.com/Krook9d/TA-Purplelab-Splunk/assets/40600995/eb5d0c27-06e5-416d-b707-af806c02323e)](https://github.com/Krook9d/TA-Purplelab-Splunk) (<a href="#readme-top">⬆️ back to top</a>) ## 🔍 Cortex Analyzer **Repository**: [PurpleLab-Cortex-Analyzer](https://github.com/Krook9d/PurpleLab-Cortex-Analyzer) ### Capabilities - **📤 Automated Uploads**: Seamless executable transfer to PurpleLab - **💥 Detonation Analysis**: Automated malware execution and analysis - **🔗 TheHive Integration**: Enhanced incident response workflows ### Demo [![Cortex Analyzer Demo](https://github.com/Krook9d/PurpleLab-Cortex-Analyzer/assets/40600995/690a8728-4ba7-4fda-a12e-48708e9b7d1d)](https://github.com/Krook9d/PurpleLab-Cortex-Analyzer) (<a href="#readme-top">⬆️ back to top</a>)  ## 📚 API documentation For comprehensive API usage and integration details, see our complete documentation: **[📖 API Documentation](/Documentation/flask_app_documentation.md)** (<a href="#readme-top">⬆️ back to top</a>)  [issues-shield]: https://img.shields.io/github/issues/Krook9d/PurpleLab.svg?style=for-the-badge [issues-url]: https://github.com/Krook9d/PurpleLab/issues [license-shield]: https://img.shields.io/github/license/Krook9d/PurpleLab.svg?style=for-the-badge [license-url]: https://github.com/Krook9d/PurpleLab/blob/master/LICENSE [linkedin-shield]: https://img.shields.io/badge/-LinkedIn-black.svg?style=for-the-badge&logo=linkedin&colorB=555 [linkedin-url]: https://www.linkedin.com/in/martin-cayrol-47669a1a2/ [forks-shield]: https://img.shields.io/github/forks/Krook9d/PurpleLab.svg?style=for-the-badge [forks-url]: https://github.com/Krook9d/PurpleLab/network/members [stars-shield]: https://img.shields.io/github/stars/Krook9d/PurpleLab.svg?style=for-the-badge [stars-url]: https://github.com/Krook9d/PurpleLab/stargazers ", Assign "at most 3 tags" to the expected json: {"id":"7404","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"

AI prompts

AI prompts