Let’s be honest, being a security analyst can sometimes feel like you’re a ghost hunter in a digital haunted house. You’re chasing faint signals, trying to figure out if that weird network traffic is a real threat or just the house settling. You spend hours writing detection rules, but are they actually protecting you from the monsters that matter? Or are you just setting up elaborate tripwires for digital squirrels?
What if you could automatically connect the dots between the scary stories from threat intel and the digital traps you’ve set in your SIEM? What if you could get a clear, data-driven report card on how well you’re doing?
Well, stop wishing and say hello to GEKO 🦎, your new automated threat-hunting buddy. GEKO 🦎 is an open-source tool that bridges the chasm between your threat intelligence in OpenCTI and your detection rules in Elasticsearch. It’s like having a translator who speaks both “spooky threat actor” and “nerdy detection engineer.”
So, What’s the Big Deal?
At its core, GEKO 🦎 does something beautifully simple but incredibly powerful:
- It reads your threat intel homework: GEKO 🦎 logs into your OpenCTI instance and asks, “Who are the baddest of the bad guys we’re worried about right now?” It then diligently notes down all their favorite tools and techniques (their TTPs).
- It checks your alarm system: Next, GEKO 🦎 heads over to your Elasticsearch cluster and asks, “Okay, what alarms do we have set up?” It takes a full inventory of all your enabled detection rules.
- It plays matchmaker: This is where the magic happens. GEKO 🦎 compares the threat actors’ TTPs with your detection rules and figures out where you’re covered and, more importantly, where you’re exposed.
- It gives you a report card: Finally, GEKO 🦎 generates a slick markdown report that shows you exactly how your defenses stack up against the threats you care about. No more guesswork!
The result? You can stop wasting time writing rules for threats you’re not even facing and start focusing on the real monsters under the bed.
New Superpower Unlocked: The Sigma Rule Turbo-Button! 🚀
Getting your threat intelligence platform populated can be a slog. But what if you could inject hundreds of high-quality detection rules into OpenCTI in a matter of seconds?
Enter importsigma.py, GEKO’s secret weapon.
If you haven’t heard of Sigma, think of it as the universal language for detection rules. It’s a generic format that can be translated into queries for almost any SIEM, including Elasticsearch.
The importsigma.py script is a little bit of command-line magic. It does two amazing things:
- It bulk-imports Sigma rules directly into your OpenCTI instance, instantly creating a library of detection logic.
- It automatically maps the rules to MITRE ATT&CK techniques! The script reads the tags in each Sigma rule (like attack.t1059.001) and intelligently links the rule to the correct TTP in OpenCTI.
This means you can go from an empty OpenCTI instance to a rich, interconnected web of threat intelligence and detection logic before your coffee gets cold. This isn’t just a time-saver; it’s a game-changer.
Getting Your Hands Dirty with GEKO 🦎: The “I Have Nothing” Edition 💻
Never dabbled with Elastic or OpenCTI before? No problemo! GEKO’s docker-compose.yml is your one-way ticket to a full-blown threat intelligence and SIEM lab.
Step 1-5: The Setup, head to GEKO 🦎 and follow the steps.
… (You’ve got your lab running, but it’s empty and sad.)
Step 6: Add the MITRE connector to import Intrusion Sets, Attack Patterns and more direct from MITRE ATT&CK.
Step 7: The Turbo-Button!
Now, before you do anything else, let’s feed your brand new OpenCTI instance. Grab a folder of Sigma rules (the official Sigma repo on GitHub is a great place to start) and run the importer:
python src/importsigma.pyWatch in awe as your OpenCTI graph comes to life. Now that you have a solid foundation of detection logic mapped to TTPs, you can start enabling the corresponding rules in Kibana and run your first GEKO 🦎 report with meaningful data from day one!
The “I’m a Pro” Edition: Integrating with Your Existing Stack 🚀
Already have a bustling metropolis of an Elastic and OpenCTI setup? You’re in luck! GEKO 🦎 is designed to slide right in.
Grab the src folder and install the dependencies.
Supercharge your Intel: Use the importsigma.py script to fill any content gaps in your OpenCTI instance. You might discover hundreds of relevant detection ideas you hadn’t considered.
Configure your .env file with your credentials.
Let ‘er rip! Run python src/main.py and get ready for some serious insights.
Suggested Use Cases: From Zero to Hero 🦸
So, now that you have this awesome tool, what can you do with it?
Rapidly Baseline Your Detections: Just stood up a new SIEM? Use the Sigma importer to load up on community-vetted detections, then run GEKO 🦎 to get an instant baseline of your security posture against the entire MITRE ATT&CK framework.
Prioritize Like a Boss: Your boss just came back from a conference and is freaking out about the latest APT group. Instead of panicking, you can run GEKO 🦎, see your coverage against that specific group, and confidently say, “We’re covered,” or “I’ve identified the gaps and I’m already working on it.”
Justify Your Existence: The GEKO 🦎report is your new best friend. It’s a tangible, data-driven way to show the value of your detection engineering efforts. You can even track your coverage over time to show improvement.
Purple Teaming on a Budget: Use the GEKO 🦎 report to identify your weak spots, then challenge your team to write detection rules for the gaps. It’s a great way to level up your team’s skills and improve your defenses at the same time.
Go Forth and Hunt! 🏹
GEKO is more than just a tool; it’s a new way of thinking about detection engineering. It’s about being proactive, data-driven, and, most importantly, effective. So, what are you waiting for? Go give GEKO 🦎 a spin and start hunting those digital ghosts like a pro! And hey, since it’s open source, if you have a great idea to make it even better, don’t be shy—contribute!