OCA is glad to introduce the Kestrel cloud sandbox. Now learning and trying Kestrel is just a click away—no installation needed, no server needed.
Kestrel is a novel approach to perform cyber threat hunting, letting threat hunters focus on the business (hunting) logic, other than query specification and adapter development. It constructs an entity-based cyber reasoning paradigm, which normalizes different data sources, and smooths out the procedure to compose hunt-flow from hunt steps.
Usually one needs to install Kestrel runtime before launching the first hello-world hunt. One may also clone the kestrel-analytics repo to use any community-shared analytics hunt steps. In addition, one may clone the kestrel-huntbook repo to download community-shared hunting playbooks and tutorials to start hunt and learn.
Could we have a sandbox pre-loaded with Kestrel runtime and all batteries? Then users can taste Kestrel and execute their hunts by spinning up an instance of the sandbox.
Yes. The answer is the Kestrel cloud sandbox (built and managed by binder).
Kestrel team crafts two entrance URLs, either of which will spin up a Kestrel sandbox instance in a public cloud and open the tutorial or huntbooks directory in the kestrel-huntbook repo when entering the sandbox:
Take the first entrance URL as an example, after clicking it, binder will take a few seconds/minutes to prepare the sandbox. It may be slow when a new version is spun for the first time, which gets faster in follow-up runs.
The sandbox will then be launched, and the user will land to a classic Jupyter Notebook web interface (behind the scene, the sandbox is a container running in a public cloud partnered with binder). The sandbox has Jupyter, Kestrel runtime, Kestrel kernel, Kestrel analytics, and Kestrel huntbooks installed and setup, so the user is ready to explore and execute a huntbook in the sandbox.
For instance, a user may click the huntbook 5. Apply a Kestrel Analytics.ipynb and open the huntbook with Kestrel Jupyter kernel. The huntbook is ready to view/edit/execute now.
People use the Kestrel sandbox to learn Kestrel, tweak existing huntbooks, play with them, and check the execution results. The hunts in the Kestrel tutorial use pre-canned data (STIX bundles) provided by the open-source Kestrel project.
Beyond playing with the huntbooks, one could perform hunts directly in the sandbox. After launching a Kestrel sandbox, one can connect their own data sources by creating a stix-shifter interface config file named
stixshifter.yaml using the text editor.
Now any huntbook in the same directory of the
stixshifter.yaml file will be able to use data sources defined in the
To start a hunt, click the New button on the top right and choose Kestrel as the notebook kernel. Write in the notebook
newvar = GET ipv4-addr FROM stixshifter:// and press tab to list (auto-complete) all data sources in the
After playing with Kestrel in the sandbox, it is recommended to conduct your own hunt in your own environment. This means to install Kestrel on your hunting workstation/laptop, or in a server for cyber threat hunting. Because Kestrel can be accessed as a Jupyter Notebook, the only requirements for a place to install Kestrel are:
After deciding where to host Kestrel runtime, one can follow Kestrel doc to install/setup:
The installation is simple—just
pip install—In the future, we may provide pre-built Kestrel container for people to pull and execute even simpler.
Until next time, happy threat hunting! And don’t forget to create a PR to kestrel-huntbook to share your huntbooks with the community.