Phase 1: Source Gathering
AI-assisted deep research across 71 candidate sources. Parallel Gemini + OpenAI passes, review gate, 8 government/vendor sources promoted.
Read phaseWhat This Is
Operation Desert Hydra is a complete CTI-to-detection pipeline focused on MuddyWater / Seedworm — widely reported by government and vendor sources as Iran-linked activity associated with MOIS, targeting Israeli government, defense, and critical infrastructure. The pipeline enforces a full chain: public sources → structured procedures → OpenCTI knowledge graph → detection rules → benign lab simulation → Kibana proof screenshots.
Everything is on GitHub: github.com/anpa1200/operation-desert-hydra. One repository contains everything needed to reproduce the full pipeline from a clean machine.
The Pipeline — 6 Phases
Phase 2: Procedure Dataset
10 source-bound procedure records with evidence labels (Observed/Reported/Assessed), ATT&CK mappings, and detection opportunity notes.
Read phasePhase 3: OpenCTI
Self-hosted OpenCTI 6.2 knowledge graph: MuddyWater intrusion set, 9 malware, 4 tools, 21 ATT&CK techniques, 20 source reports.
Read phasePhase 4: Detection Atlas
11 detection records with SIEM-agnostic pseudologic, coverage scores, false positive classes, and design rationale.
Read phasePhase 5: Validation Lab
One-command lab: Docker + Vagrant Windows 10 VM + Ansible provisioning. 11 benign simulations, 12 Kibana proof screenshots.
Read phasePhase 6: Coverage Matrix
21 procedure techniques + 7 from source set. 16 techniques (76%) fully validated. 6 capability gates that determine your effective coverage floor.
Read phaseKey Results
Validation: 14 PASS / 1 PARTIAL / 1 FAIL
16 rule checks across 11 detection records — some detections have multiple rules tested separately. Every PASS has a Kibana screenshot. Failures are documented with root cause and fix path. 9 of 11 detections have coverage score ≥ 4 (lab-validated).
11 Detection Records
SIEM-agnostic pseudologic (Sigma, KQL, Elastic JSON, SPL). Coverage scores: 5 = lab-validated multi-source, 4 = lab-validated single-source, 3 = validation incomplete or failed (documented reason). 9 detections score ≥ 4; 2 score 3.
8 Promoted Sources
From 71 AI-assisted candidate sources, 8 government and vendor sources survived the analyst review gate: CISA AA22-055A, INCD 2023, INCD 2024, and five supporting vendor sources.
21 ATT&CK Techniques (procedure dataset)
Mapped across 8 tactics. 16 techniques (76%) fully lab-validated. 6 capability gates determine your effective coverage floor.
Reproduce It
Deploy the full stack from a single command:
git clone https://github.com/anpa1200/operation-desert-hydra.git cd operation-desert-hydra cp stack/.env.template stack/.env # fill in ELASTIC_PASSWORD, OPENCTI_ADMIN_PASSWORD, OPENCTI_ADMIN_TOKEN bash start.sh # → OpenCTI: http://localhost:8080 # → Kibana: http://localhost:5601
Prerequisites: Docker, VirtualBox, Vagrant, Ansible, Python 3 + pywinrm. All 11 simulations run automatically (~10 min).
Full Reproduce InstructionsRelated Projects
CTI Analyst Field Manual
Practitioner tradecraft: PIRs, evidence handling, attribution, source reliability, infrastructure pivoting, hunting hypotheses, detection backlog, SOC handoff, and 10 reusable analyst templates.
Open ManualIsrael Government Threat Actors CTI
Defensive knowledge base for threat actors targeting Israeli government, public-sector, critical infrastructure, and adjacent suppliers. Actor profiles, ATT&CK mappings, and detection examples. Blue-team only.
Open ProjectCustomer-Driven AI CTI
Gate-controlled CTI-to-detection delivery methodology from customer requirements and PIRs/SIRs to detection backlog, SOC handoff, and measurable defensive outcomes.
Open ProjectOpenCTI Intelligent Shield
OpenCTI platform with Claude-powered enrichment connector: STIX 2.1 workflows, confidence-scored IOC enrichment, and an analyst gate before any object enters the graph.
GitHub