Skip to main content

What is CHAD?

CHAD (Cyber Hunting And Detection) is a web-based Sigma rule management and alerting platform for OpenSearch. It replaces OpenSearch’s built-in Security Analytics with a modern, feature-rich interface designed for security teams.

Why CHAD?

OpenSearch Security Analytics provides basic detection capabilities, but security teams need more:
  • Better rule editing - A proper YAML editor with schema validation, not a clunky form
  • Version control - See what changed, when, and roll back if needed
  • Testing before deployment - Validate rules against sample logs or historical data
  • False positive management - Exception rules to tune out noise without disabling detections
  • Threat intelligence enrichment - Automatic enrichment from VirusTotal, AbuseIPDB, and more
  • Integration flexibility - Webhooks, Jira tickets, and custom notifications
CHAD provides all of this while leveraging OpenSearch’s powerful percolator engine for real-time matching.

Key Features

Rule Management

Monaco-based YAML editor with Sigma schema validation, autocomplete, and field mapping verification

Real-time Alerting

OpenSearch percolators match incoming logs against thousands of rules in milliseconds

SigmaHQ Integration

Browse, search, and bulk import rules from the official SigmaHQ repository

Threat Intelligence

Automatic enrichment from 8+ TI sources including VirusTotal, AbuseIPDB, and MISP

Exception Rules

Sophisticated false positive tuning with AND/OR logic groups

MITRE ATT&CK

Visualize detection coverage across the ATT&CK matrix

Architecture Overview

CHAD follows a modern three-tier architecture: 
┌─────────────────────────────────────────────────────────────────┐
│                    Frontend (React + shadcn/ui)                 │
└─────────────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────────────┐
│                    Backend (FastAPI + pySigma)                  │
└─────────────────────────────────────────────────────────────────┘

        ┌───────────────────────┼───────────────────────┐
        ▼                       ▼                       ▼
┌───────────────┐      ┌───────────────┐      ┌───────────────┐
│  PostgreSQL   │      │  OpenSearch   │      │   External    │
│  (Config)     │      │  (Percolators │      │   Services    │
│               │      │   & Alerts)   │      │               │
└───────────────┘      └───────────────┘      └───────────────┘
  • Frontend: React 19 with TypeScript, Tailwind CSS, and shadcn/ui components
  • Backend: FastAPI with async support, pySigma for rule translation
  • PostgreSQL: Stores rules, users, configuration, and audit logs
  • OpenSearch: Stores percolator queries and alert data

How Detection Works

  1. Write a Sigma rule in the YAML editor with validation
  2. Deploy the rule - CHAD translates it to OpenSearch query language and creates a percolator
  3. Logs flow in via Fluentd to OpenSearch
  4. Percolators match incoming logs in real-time
  5. Alerts fire with optional TI enrichment and notifications

Next Steps

Quick Start

Get CHAD running in 5 minutes with Docker

Architecture

Deep dive into how CHAD works