scope-forensics · scope-forensics · Feb 16, 2025 · Feb 7, 2025 · Feb 16, 2025
diff --git a/README_NEW.md b/README_NEW.md
@@ -0,0 +1,247 @@
+<a id="readme-top"></a>
+
+[![Contributors][contributors-shield]][contributors-url]
+[![Forks][forks-shield]][forks-url]
+[![Stargazers][stars-shield]][stars-url]
+[![Issues][issues-shield]][issues-url]
+[![Apache-2.0 license
+][license-shield]][license-url]
+[![LinkedIn][linkedin-shield]][linkedin-url]
+
+<!-- https://github.com/othneildrew/Best-README-Template/blob/main/BLANK_README.md -->
+
+<!-- PROJECT LOGO -->
+<br />
+<div align="center">
+  <a href="https://github.com/scope-forensics/scope">
+    <img src="images/logo/logo.png" alt="Logo" width="80" height="80">
+  </a>
+
+<h3 align="center">Scope</h3>
+
+  <p align="center">
+    Scope is an open source cloud forensic tools to allow for rapid incident responce in Amazon Web Services (AWS). Support for Google Cloud Platform (GCP) and Microsoft Azure (Azure) is comming soon.
+
+
+    <br />
+    <a href="https://scopeforensics.com/docs"><strong>Explore the docs »</strong></a>
+    <br />
+    <br />
+    <a href="https://github.com/scope-forensics/scope">View Demo</a>
+    &middot;
+    <a href="https://github.com/scope-forensics/scope/issues/new?labels=bug&template=bug-report---.md">Report Bug</a>
+    &middot;
+    <a href="https://github.com/scope-forensics/scope/issues/new?labels=enhancement&template=feature-request---.md">Request Feature</a>
+  </p>
+</div>
+
+
+
+<!-- TABLE OF CONTENTS -->
+<details>
+  <summary>Table of Contents</summary>
+  <ol>
+    <li>
+      <a href="#about-the-project">About The Project</a>
+      <ul>
+        <li><a href="#built-with">Built With</a></li>
+      </ul>
+    </li>
+    <li>
+      <a href="#getting-started">Getting Started</a>
+      <ul>
+        <li><a href="#prerequisites">Prerequisites</a></li>
+        <li><a href="#installation">Installation</a></li>
+      </ul>
+    </li>
+    <li><a href="#usage">Usage</a></li>
+    <li><a href="#roadmap">Roadmap</a></li>
+    <li><a href="#contributing">Contributing</a></li>
+    <li><a href="#license">License</a></li>
+    <li><a href="#contact">Contact</a></li>
+    <li><a href="#acknowledgments">Acknowledgments</a></li>
+  </ol>
+</details>
+
+
+
+<!-- ABOUT THE PROJECT -->
+## About The Project
+
+[![Product Name Screen Shot][product-screenshot]](https://example.com)
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+
+
+### Built With
+
+* [![Python][python.org]][Python-url]
+* [![Django][Djangoproject.com]][Django-url]
+* [![Bootstrap][Bootstrap.com]][Bootstrap-url]
+* [![HTMX][Htmx.org]][Htmx-url]
+* [![Docker][Docker.com]][Docker-url]
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+
+
+<!-- GETTING STARTED -->
+## Getting Started
+
+This is an example of how you may give instructions on setting up your project locally.
+To get a local copy up and running follow these simple example steps.
+
+### Prerequisites
+
+This is an example of how to list things you need to use the software and how to install them.
+* npm
+  ```sh
+  npm install npm@latest -g
+  ```
+
+### Installation
+
+1. Get a free API Key at [https://example.com](https://example.com)
+2. Clone the repo
+   ```sh
+   git clone https://github.com/scope-forensics/scope.git
+   ```
+3. Install NPM packages
+   ```sh
+   npm install
+   ```
+4. Enter your API in `config.js`
+   ```js
+   const API_KEY = 'ENTER YOUR API';
+   ```
+5. Change git remote url to avoid accidental pushes to base project
+   ```sh
+   git remote set-url origin scope-forensics/scope
+   git remote -v # confirm the changes
+   ```
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+
+
+<!-- USAGE EXAMPLES -->
+## Usage
+
+Use this space to show useful examples of how a project can be used. Additional screenshots, code examples and demos work well in this space. You may also link to more resources.
+
+_For more examples, please refer to the [Documentation](https://example.com)_
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+
+
+<!-- ROADMAP -->
+## Roadmap
+
+- [ ] AWS
+- [ ] Azure
+- [ ] GCP
+- [ ] Feature 3
+    - [ ] Nested Feature
+
+See the [open issues](https://github.com/scope-forensics/scope/issues) for a full list of proposed features (and known issues).
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+
+
+<!-- CONTRIBUTING -->
+## Contributing
+
+Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are **greatly appreciated**.
+
+If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement".
+Don't forget to give the project a star! Thanks again!
+
+1. Fork the Project
+2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)
+3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`)
+4. Push to the Branch (`git push origin feature/AmazingFeature`)
+5. Open a Pull Request
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+### Top contributors:
+
+<a href="https://github.com/scope-forensics/scope/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=scope-forensics/scope" alt="contrib.rocks image" />
+</a>
+
+
+
+<!-- LICENSE -->
+## License
+
+Distributed under the Apache-2.0 license
+. See `LICENSE.txt` for more information.
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+
+
+<!-- CONTACT -->
+## Contact
+
+Your Name - [@twitter_handle](https://twitter.com/twitter_handle) - scopeforenscis@protonmail.com.com
+
+Project Link: [https://github.com/scope-forensics/scope](https://github.com/scope-forensics/scope)
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+
+
+<!-- ACKNOWLEDGMENTS -->
+## Acknowledgments
+
+* []()
+* []()
+* []()
+
+<p align="right">(<a href="#readme-top">back to top</a>)</p>
+
+
+
+<!-- MARKDOWN LINKS & IMAGES -->
+<!-- https://www.markdownguide.org/basic-syntax/#reference-style-links -->
+[contributors-shield]: https://img.shields.io/github/contributors/scope-forensics/scope.svg?style=for-the-badge
+[contributors-url]: https://github.com/scope-forensics/scope/graphs/contributors
+[forks-shield]: https://img.shields.io/github/forks/scope-forensics/scope.svg?style=for-the-badge
+[forks-url]: https://github.com/scope-forensics/scope/network/members
+[stars-shield]: https://img.shields.io/github/stars/scope-forensics/scope.svg?style=for-the-badge
+[stars-url]: https://github.com/scope-forensics/scope/stargazers
+[issues-shield]: https://img.shields.io/github/issues/scope-forensics/scope.svg?style=for-the-badge
+[issues-url]: https://github.com/scope-forensics/scope/issues
+[license-shield]: https://img.shields.io/github/license/scope-forensics/scope.svg?style=for-the-badge
+[license-url]: https://github.com/scope-forensics/scope/blob/master/LICENSE.txt
+[linkedin-shield]: https://img.shields.io/badge/-LinkedIn-black.svg?style=for-the-badge&logo=linkedin&colorB=555
+[linkedin-url]: https://linkedin.com/in/linkedin_username
+[product-screenshot]: images/screenshot.png
+[Next.js]: https://img.shields.io/badge/next.js-000000?style=for-the-badge&logo=nextdotjs&logoColor=white
+[Next-url]: https://nextjs.org/
+[React.js]: https://img.shields.io/badge/React-20232A?style=for-the-badge&logo=react&logoColor=61DAFB
+[React-url]: https://reactjs.org/
+[Vue.js]: https://img.shields.io/badge/Vue.js-35495E?style=for-the-badge&logo=vuedotjs&logoColor=4FC08D
+[Vue-url]: https://vuejs.org/
+[Angular.io]: https://img.shields.io/badge/Angular-DD0031?style=for-the-badge&logo=angular&logoColor=white
+[Angular-url]: https://angular.io/
+[Svelte.dev]: https://img.shields.io/badge/Svelte-4A4A55?style=for-the-badge&logo=svelte&logoColor=FF3E00
+[Svelte-url]: https://svelte.dev/
+[Laravel.com]: https://img.shields.io/badge/Laravel-FF2D20?style=for-the-badge&logo=laravel&logoColor=white
+[Laravel-url]: https://laravel.com
+[Bootstrap.com]: https://img.shields.io/badge/Bootstrap-563D7C?style=for-the-badge&logo=bootstrap&logoColor=white
+[Bootstrap-url]: https://getbootstrap.com
+[Htmx.org]: https://img.shields.io/badge/Htmx-563D7C?style=for-the-badge&logo=htmx&logoColor=white
+[Htmx-url]: https://htmx.org 
+[Docker.com]: https://img.shields.io/badge/Docker-2CA5E0?style=for-the-badge&logo=docker&logoColor=white
+[Docker-url]: https://docker.com    
+[Djangoproject.com]: https://img.shields.io/badge/Django-092E20?style=for-the-badge&logo=django&logoColor=white
+[Django-url]: https://djangoproject.com
+[Python.org]: https://img.shields.io/badge/Python-3776AB?style=for-the-badge&logo=python&logoColor=white
+[Python-url]: https://python.org
+
diff --git a/apps/analysis/detection_rules/aws_rules.yaml b/apps/analysis/detection_rules/aws_rules.yaml
@@ -0,0 +1,41 @@
+# AWS Pre-built Detection Rules
+
+- name: "GetCallerIdentity Reconnaissance"
+  description: "Detects attempts to enumerate AWS account information using GetCallerIdentity"
+  cloud: "aws"
+  detection_type: "api_call"
+  severity: "medium"
+  event_source: "sts.amazonaws.com"
+  event_name: "GetCallerIdentity"
+  auto_tags: ["suspicious", "reconnaissance"]
+  enabled: true
+
+- name: "Root Account Usage"
+  description: "Detects usage of the root account which is a security best practice violation"
+  cloud: "aws"
+  detection_type: "login"
+  severity: "high"
+  event_source: "signin.amazonaws.com"
+  additional_criteria: {"user_identity": "root"}
+  auto_tags: ["high-risk", "compliance-violation"]
+  enabled: true
+
+- name: "Security Group Modification"
+  description: "Detects modifications to security groups which could indicate network security changes"
+  cloud: "aws"
+  detection_type: "network"
+  severity: "medium"
+  event_source: "ec2.amazonaws.com"
+  event_name: "AuthorizeSecurityGroupIngress"
+  auto_tags: ["security-group-change", "network-modification"]
+  enabled: true
+
+- name: "IAM Policy Changes"
+  description: "Detects changes to IAM policies which could indicate privilege escalation attempts"
+  cloud: "aws"
+  detection_type: "iam"
+  severity: "high"
+  event_source: "iam.amazonaws.com"
+  event_name: "PutRolePolicy"
+  auto_tags: ["iam-change", "privilege-escalation"]
+  enabled: true
diff --git a/apps/analysis/detections.py b/apps/analysis/detections.py
@@ -0,0 +1,87 @@
+from django.db.models import Q
+from apps.data.models import NormalizedLog, DetectionResult
+from apps.analysis.models import Detection
+
+def get_case_logs(case_id):
+    """Get all logs for a case"""
+    logs = NormalizedLog.objects.filter(case_id=case_id)
+    print(f"\nFound {logs.count()} logs for case {case_id}")
+    return logs
+
+def apply_detection_filters(logs, detection):
+    """Apply detection rule filters to logs"""
+    print(f"\nApplying filters for detection: {detection.name}")
+
+    # Apply event name filter
+    if detection.event_name:
+        print(f"Filtering for event_name: {detection.event_name}")
+        logs = logs.filter(event_name__iexact=detection.event_name)
+        print(f"Found {logs.count()} logs with matching event name")
+        # Debug: show matching logs
+        for log in logs:
+            print(f"Matching log - Event: {log.event_name}, Source: {log.event_source}")
+
+    # Apply event source filter
+    if detection.event_source:
+        print(f"Filtering for event_source: {detection.event_source}")
+        logs = logs.filter(event_source__iexact=detection.event_source)
+        print(f"Found {logs.count()} logs with matching event source")
+
+    # Apply event type filter
+    if detection.event_type:
+        print(f"Filtering for event_type: {detection.event_type}")
+        logs = logs.filter(event_type__iexact=detection.event_type)
+        print(f"Found {logs.count()} logs with matching event type")
+
+    # Apply additional criteria
+    if detection.additional_criteria:
+        for key, value in detection.additional_criteria.items():
+            if key == 'raw_data_contains':
+                logs = logs.filter(raw_data__icontains=value)
+            elif key == 'ip_address':
+                logs = logs.filter(ip_address=value)
+            elif key == 'user_identity':
+                logs = logs.filter(user_identity=value)
+
+    return logs
+
+def tag_matching_logs(logs, detection):
+    """Add detection tags to matching logs"""
+    for log in logs:
+        log.tags.add(*detection.auto_tags.all())
+
+def run_detection(case_id, account_id, detection):
+    """Run a single detection rule"""
+    # Get base logs
+    logs = get_case_logs(case_id)
+
+    # Apply detection filters
+    matching_logs = apply_detection_filters(logs, detection)
+
+    # Create detection results and tag logs
+    for log in matching_logs:
+        # Create detection result if it doesn't exist
+        DetectionResult.objects.get_or_create(
+            case_id=case_id,
+            detection=detection,
+            matched_log=log
+        )
+        # Tag the log
+        log.tags.add(*detection.auto_tags.all())
+
+    return matching_logs
+
+def run_all_detections(case_id, account_id):
+    """Run all enabled AWS detections"""
+    results = []
+    detections = Detection.objects.filter(enabled=True, cloud='aws')
+
+    for detection in detections:
+        matching_logs = run_detection(case_id, account_id, detection)
+        results.append({
+            'detection': detection,
+            'matches': matching_logs.count(),
+            'matching_logs': matching_logs
+        })
+
+    return results