Skip to content

dotgibson/dotfiles-Defense

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

84 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ”΅ dotfiles-Defense

Detection engineering, version-controlled. The defensive role layer β€” detection engineering and a Dockerized hunt lab.

sigma Β· sysmon Β· siem Β· docker

showcase blue team


The defensive (blue) role of the dotfiles system β€” the mirror image of dotfiles-Kali. Where Kali carries the offensive engagement layer, this repo carries the detection-engineering & investigation layer: the tooling, configs, and workspace workflow for hunting, triage, and standing up a small detection lab.

Like Kali, it stacks three layers: Core (vendored) β†’ OS-native (your existing OS repo) β†’ Defense (role). The defense layer is unique to this repo: hunt/triage tooling, version-controlled detection content, and a Dockerized lab.

The one rule that matters

This is a public repo. Case, evidence, and log data NEVER live in it. All investigation data lives under ~/cases/ (outside the repo), exactly like Kali keeps engagements in ~/engagements/. The paranoid .gitignore is a backstop, not the primary control. mkcase scaffolds a case outside the repo by design.

Distro-agnostic + Docker (no blue-team distro required)

You do not need Security Onion or a dedicated blue distro β€” SO is a SOC sensor appliance, not a dotfiles target. The blue stack is overwhelmingly containers, so this repo assumes no specific OS: host tools come from your OS-native layer, and the heavy stack comes up via docker/ (siemup / siemdown).

Loader integration

Adds one stage to the zsh loader, just before local overrides: tools β†’ … β†’ os β†’ defense β†’ local. defense/defense.zsh β†’ ~/.config/zsh/defense.zsh holds workflow helpers only (mkcase, gocase, note, siemup/siemdown), all HAVE_*-guarded.

What the layer ships

  • defense/defense.zsh β€” role-stage ergonomics + case workflow
  • defense/templates/ β€” case.md / hunt.md seeds
  • detections/ β€” version-controlled detection content (Sigma, Sysmon, network, SIEM)
  • docker/ β€” the detection-lab compose stack(s)
  • DEFENSE-METHODOLOGY.md β€” the ATT&CK β†’ data-source β†’ detection map
  • install/ β€” host-tool notes (distro-agnostic)

The attack-paired mirror lives in Kali's PURPLE-TEAM.md; the two cross-link.

About

πŸ”΅ The defensive role layer β€” detection engineering, hunt/triage tooling & a Dockerized detection lab. The blue mirror of Kali.

Topics

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors

Languages