DetectPack Forge

Turn plain-English behaviors or small log samples into production-ready detection packs — Sigma, KQL (Sentinel), and SPL (Splunk) — with tests and a short response playbook, all mapped to MITRE ATT&CK.

What is this?

DetectPack Forge is a helper for people learning or working with SIEMs. You describe a behavior (e.g., “many failed logons then a success”) or paste a few log lines, and the app generates:

• Sigma (vendor-neutral rule YAML)
• KQL (Microsoft Sentinel)
• SPL (Splunk)
• Tests (positive/negative examples)
• Playbook (concise incident-response checklist)
• MITRE ATT&CK technique tags

Demo of product in action: Link to Demo

Why it’s useful: you don’t need to memorize different query syntaxes to begin writing detections; you learn by example and get artifacts you can paste directly into a SIEM.

How it works (architecture)

Frontend (Vite + React + Tailwind + shadcn-ui)

• Simple wizard: Describe (type behavior) or Logs (paste sample).
• Calls a single n8n webhook with JSON and renders the returned artifacts in tabs.
• Env var: VITE_N8N_WEBHOOK_URL points to your n8n webhook.

Backend (n8n + Gemini)Backend (n8n + Gemini)

1. 🛎️ Webhook (POST) receives:

   { "mode": "describe" | "logs", "text": "string?", "logs": "string?" }

2. 🧹 Preprocess Function normalizes the body:

   // reads from $json.body and flattens to {mode,text,logs}
   const src = (items[0].json?.body ?? items[0].json ?? {});
   let modeRaw = String(src.mode ?? '').toLowerCase();
   const text = typeof src.text === 'string' ? src.text : '';
   const logs = typeof src.logs === 'string' ? src.logs : '';
   const mode = modeRaw === 'logs' || (logs && !text) ? 'logs' : 'describe';
   if (!text && !logs) throw new Error('Provide either text or logs.');
   return [{ json: { mode, text, logs } }];

3. 🧠 AI Agent – Schema (Gemini) infers:

   {
     "logsource": { "product": "windows|aws|okta|...", "service": "security|cloudtrail|..." },
     "fields": [{ "name": "EventID", "type": "int" }, ...],
     "techniques": [{ "id": "T1110", "confidence": "high" }]
   }

4. 🧩 Parse Schema (Function) safely parses the agent output and attaches it to the flow.

5. 🧪 AI Agent – Artifacts (Gemini) creates Sigma/KQL/SPL/tests/playbook from the schema + inputs.

6. 📤 Return JSON to the webhook caller:

   {
     "meta": { "title": "...", "slug": "...", "attack": ["Txxxx"], "logsource": { "product": "...", "service": "..." } },
     "sigma": "...",
     "kql": "...",
     "spl": "...",
     "tests": { "positive": ["..."], "negative": ["..."] },
     "playbook": "..."
   }

Running Locally

To run the frontend locally and connect it to your backend or API, follow these steps:

1. Clone the repository

   git clone <YOUR_GIT_URL>
   cd <YOUR_PROJECT_NAME>

2. Install dependencies

   npm install

3. Configure environment variables

   • A .env.local file is already present in the project root, and if not just make one.
   • Use the url provided at the n8n webhook over here, for example:

     VITE_N8N_WEBHOOK_URL=http://localhost:5678/webhook/detectpack/1
     

   • Replace http://localhost:5678/detectpack/1 with your backend/API URL.

4. Start the development server

   npm run dev

   • The frontend will be available at http://localhost:5173 (default Vite port).

5. Connect to your backend

   • The n8n backend .json file has been uploaded on the repo. All that is needed to do is take this file and import it into your new n8n workflow.
   • Ensure your backend is running and accessible at the URL specified in your .env.local.
   • The frontend will communicate with the backend using the configured API URL.

Note:

• No n8n setup is required for running the frontend.
• For production builds, use npm run build and serve the output from the dist folder.

What technologies are used for this project?

This project is built with:

• Vite
• TypeScript
• React
• shadcn-ui
• Tailwind CSS