This repository is an example implementation of a monitoring system that implements detection-as-code principles with Python and MongoDB with Change Streams. The examples contain an agent to collect and forward logs, an engine to process the logs and alert if desired, and rule files to be loaded by the detection engine.
Slides are available here.
These environment variables are all needed for the detection engine to function.
The monitoring agent reuiqres the variables prefixed with CHANGE_
.
export ALERT_COLLECTION_NAME=alert
export CONFIG_COLLECTION_NAME=configuration
export CHANGE_COLLECTION_NAME=process
export CHANGE_DB_NAME=monitoring
export CHANGE_STREAM_DB="mongodb://localhost:27017"
python engine/detection.py
The agent requires sudo privileges due to the eBPF portion of the code.
sudo -E python collection/agent.py
There is a small config portion for pytest in pyproject.toml.
pytest
.
├── collection
│ └── agent.py
├── engine
│ ├── detection.py
│ ├── __init__.py
│ ├── rule.py
│ └── tests
│ ├── __init__.py
│ └── test_engine.py
├── infra
│ ├── docker-compose.yml
│ ├── init.js
│ └── initRS.sh
├── LICENSE
├── MongoDB-and-DaC.pdf
├── pyproject.toml
├── readme.md
└── rules
├── shadow.py
├── shadow.yaml
└── tmp_output_redir.yaml