Clean up Phase 4 slide and add GNATHunt capability slide#175
Merged
Conversation
- Remove (v1.6) version reference from Phase 4 title - Remove migration 0004 reference from ExecutionContext line - Add new dedicated GNATHunt slide covering STIX → detection rules, hunt packages, ATT&CK coverage mapping, and drift detection - Update presentation title from 37-slide to 38-slide https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU
There was a problem hiding this comment.
Pull request overview
Updates the Reveal.js slide deck (docs/deck/index.html) to reflect the latest roadmap messaging by cleaning up Phase 4 wording and adding a dedicated slide for the HuntGNAT/GNATHunt capability.
Changes:
- Updates the deck title to “38-Slide Presentation” and reorders the “Abstraction Advantage” slide.
- Removes the “(v1.6)” reference from the Phase 4 slide title and drops the “migration 0004” mention from the ExecutionContext bullet.
- Adds a new “GNATHunt — Detection Rules & Hunting” slide.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <h2>GNATHunt — Detection Rules & Hunting</h2> | ||
| <p style="font-size: 0.85em;">Convert STIX to detection rules. Hunt packages. ATT&CK coverage mapping. Drift detection.</p> | ||
| <ul style="font-size: 0.8em; margin-top: 1em;"> | ||
| <li><strong>STIX → Detection Rules:</strong> Malware/Campaign/Tool indicators → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule weight. Automated rule publication to EDL + SOC platform integrations.</li> |
There was a problem hiding this comment.
The “STIX → Detection Rules” bullet describes “Malware/Campaign/Tool indicators” and “publication to EDL”, but HuntGNAT is designed/implemented as STIX Indicator pattern → rule translation (Sigma/YARA/Suricata/Snort). Consider rewording this bullet to match the actual HuntGNAT contract and avoid implying EDL-based rule publishing if that isn’t supported.
Suggested change
| <li><strong>STIX → Detection Rules:</strong> Malware/Campaign/Tool indicators → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule weight. Automated rule publication to EDL + SOC platform integrations.</li> | |
| <li><strong>STIX → Detection Rules:</strong> STIX Indicator patterns → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule scoring. Output is generated as detection-rule content for downstream SOC workflows.</li> |
| <li><strong>STIX → Detection Rules:</strong> Malware/Campaign/Tool indicators → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule weight. Automated rule publication to EDL + SOC platform integrations.</li> | ||
| <li><strong>Hunt Packages:</strong> Bundled rules with metadata (adversary, campaign, techniques, severity). Importable into Splunk, Elastic, Chronicle, QRadar. Version control + diff tracking.</li> | ||
| <li><strong>ATT&CK Coverage Mapping:</strong> Every rule tagged with MITRE ATT&CK technique/sub-technique. Coverage heatmap by tactic. Gaps identified and prioritized.</li> | ||
| <li><strong>Drift Detection:</strong> Scheduled hunt job compares rule effectiveness (hit count, FP rate) against baseline. Drift >10% triggers analyst review. Rules auto-archived if no hits in 90 days.</li> |
There was a problem hiding this comment.
The “Drift Detection” bullet describes effectiveness metrics (hit count/FP rate), a “>10%” threshold, and auto-archiving after 90 days. In code, drift detection is implemented as a SHA-256 hash comparison of canonical vs remote rule bodies and is explicitly observe-only (no auto-correct/auto-retire). Please align this slide text with the implemented drift model to avoid documenting behavior that doesn’t exist.
Suggested change
| <li><strong>Drift Detection:</strong> Scheduled hunt job compares rule effectiveness (hit count, FP rate) against baseline. Drift >10% triggers analyst review. Rules auto-archived if no hits in 90 days.</li> | |
| <li><strong>Drift Detection:</strong> Scheduled hunt job compares canonical and remote rule bodies using SHA-256 hashes of canonicalized content. Mismatches are surfaced for analyst review as observe-only drift events; no automatic correction, retirement, or archival is performed.</li> |
Comment on lines
+443
to
+444
| <section data-background="#1a1a1a"> | ||
| <h2>GNATHunt — Detection Rules & Hunting</h2> |
There was a problem hiding this comment.
Adding this slide changes the slide numbering for the “ROLLOUT & ROADMAP SECTION” that follows. The section header comment currently says “Slides 33-36”, but with the new slide it should be updated (and the closing slide number shifts as well) to keep the in-file slide index accurate.
Comment on lines
+444
to
+451
| <h2>GNATHunt — Detection Rules & Hunting</h2> | ||
| <p style="font-size: 0.85em;">Convert STIX to detection rules. Hunt packages. ATT&CK coverage mapping. Drift detection.</p> | ||
| <ul style="font-size: 0.8em; margin-top: 1em;"> | ||
| <li><strong>STIX → Detection Rules:</strong> Malware/Campaign/Tool indicators → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule weight. Automated rule publication to EDL + SOC platform integrations.</li> | ||
| <li><strong>Hunt Packages:</strong> Bundled rules with metadata (adversary, campaign, techniques, severity). Importable into Splunk, Elastic, Chronicle, QRadar. Version control + diff tracking.</li> | ||
| <li><strong>ATT&CK Coverage Mapping:</strong> Every rule tagged with MITRE ATT&CK technique/sub-technique. Coverage heatmap by tactic. Gaps identified and prioritized.</li> | ||
| <li><strong>Drift Detection:</strong> Scheduled hunt job compares rule effectiveness (hit count, FP rate) against baseline. Drift >10% triggers analyst review. Rules auto-archived if no hits in 90 days.</li> | ||
| <li><strong>Integration:</strong> GNATHunt hooks into campaign tracking — when Campaign confirmed, emit detection rules + hunt package. Daily hunts run via FeedScheduler.</li> |
There was a problem hiding this comment.
The slide uses the name “GNATHunt”, but the repository consistently refers to this capability as “HuntGNAT” (e.g., ADR-0050 and the plugin package name gnat.plugins.huntgnat). To avoid confusion, update the slide title/body to use “HuntGNAT” consistently.
Suggested change
| <h2>GNATHunt — Detection Rules & Hunting</h2> | |
| <p style="font-size: 0.85em;">Convert STIX to detection rules. Hunt packages. ATT&CK coverage mapping. Drift detection.</p> | |
| <ul style="font-size: 0.8em; margin-top: 1em;"> | |
| <li><strong>STIX → Detection Rules:</strong> Malware/Campaign/Tool indicators → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule weight. Automated rule publication to EDL + SOC platform integrations.</li> | |
| <li><strong>Hunt Packages:</strong> Bundled rules with metadata (adversary, campaign, techniques, severity). Importable into Splunk, Elastic, Chronicle, QRadar. Version control + diff tracking.</li> | |
| <li><strong>ATT&CK Coverage Mapping:</strong> Every rule tagged with MITRE ATT&CK technique/sub-technique. Coverage heatmap by tactic. Gaps identified and prioritized.</li> | |
| <li><strong>Drift Detection:</strong> Scheduled hunt job compares rule effectiveness (hit count, FP rate) against baseline. Drift >10% triggers analyst review. Rules auto-archived if no hits in 90 days.</li> | |
| <li><strong>Integration:</strong> GNATHunt hooks into campaign tracking — when Campaign confirmed, emit detection rules + hunt package. Daily hunts run via FeedScheduler.</li> | |
| <h2>HuntGNAT — Detection Rules & Hunting</h2> | |
| <p style="font-size: 0.85em;">Convert STIX to detection rules. Hunt packages. ATT&CK coverage mapping. Drift detection.</p> | |
| <ul style="font-size: 0.8em; margin-top: 1em;"> | |
| <li><strong>STIX → Detection Rules:</strong> Malware/Campaign/Tool indicators → Sigma + YARA + Suricata + Snort rules. Confidence-weighted rule weight. Automated rule publication to EDL + SOC platform integrations.</li> | |
| <li><strong>Hunt Packages:</strong> Bundled rules with metadata (adversary, campaign, techniques, severity). Importable into Splunk, Elastic, Chronicle, QRadar. Version control + diff tracking.</li> | |
| <li><strong>ATT&CK Coverage Mapping:</strong> Every rule tagged with MITRE ATT&CK technique/sub-technique. Coverage heatmap by tactic. Gaps identified and prioritized.</li> | |
| <li><strong>Drift Detection:</strong> Scheduled hunt job compares rule effectiveness (hit count, FP rate) against baseline. Drift >10% triggers analyst review. Rules auto-archived if no hits in 90 days.</li> | |
| <li><strong>Integration:</strong> HuntGNAT hooks into campaign tracking — when Campaign confirmed, emit detection rules + hunt package. Daily hunts run via FeedScheduler.</li> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU