Detection engineering, version-controlled. The defensive role layer β detection engineering and a Dockerized hunt lab.
sigma Β· sysmon Β· siem Β· docker
The defensive (blue) role of the dotfiles system β the mirror image of
dotfiles-Kali. Where Kali carries the offensive engagement layer, this repo
carries the detection-engineering & investigation layer: the tooling,
configs, and workspace workflow for hunting, triage, and standing up a small
detection lab.
Like Kali, it stacks three layers: Core (vendored) β OS-native (your existing OS repo) β Defense (role). The defense layer is unique to this repo: hunt/triage tooling, version-controlled detection content, and a Dockerized lab.
This is a public repo. Case, evidence, and log data NEVER live in it. All
investigation data lives under ~/cases/ (outside the repo), exactly like Kali
keeps engagements in ~/engagements/. The paranoid .gitignore is a backstop,
not the primary control. mkcase scaffolds a case outside the repo by design.
You do not need Security Onion or a dedicated blue distro β SO is a SOC sensor
appliance, not a dotfiles target. The blue stack is overwhelmingly containers, so
this repo assumes no specific OS: host tools come from your OS-native layer, and
the heavy stack comes up via docker/ (siemup / siemdown).
Adds one stage to the zsh loader, just before local overrides:
tools β β¦ β os β defense β local. defense/defense.zsh β
~/.config/zsh/defense.zsh holds workflow helpers only (mkcase, gocase,
note, siemup/siemdown), all HAVE_*-guarded.
defense/defense.zshβ role-stage ergonomics + case workflowdefense/templates/βcase.md/hunt.mdseedsdetections/β version-controlled detection content (Sigma, Sysmon, network, SIEM)docker/β the detection-lab compose stack(s)DEFENSE-METHODOLOGY.mdβ the ATT&CK β data-source β detection mapinstall/β host-tool notes (distro-agnostic)
The attack-paired mirror lives in Kali's PURPLE-TEAM.md; the two cross-link.