├── .gitignore
├── README.md
├── icikit.sln
└── icikit
├── AccountService.cs
├── FileUploadService.cs
├── IIncikit.cs
└── icikit.csproj
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Incikit
2 |
3 | **Incikit** is an incident response library for C# .NET applications that enables automatic actions in response to detected security threats. This library provides a simple framework for responding to suspicious activities such as unauthorized access attempts, malicious file uploads, and unusual account behavior. Actions include locking accounts, notifying administrators, and quarantining suspicious files. Incikit integrates easily with existing Endpoint Detection and Response (EDR) solutions to provide a robust response layer for applications.
4 |
5 | ## Key Features
6 |
7 | - **Automated Incident Response**: Lock accounts, quarantine files, or notify admins in response to suspicious behavior.
8 | - **Customizable Actions**: Easily configure response actions to meet specific security requirements.
9 | - **EDR Integration**: Seamlessly integrates with existing EDR systems for extended security monitoring and management.
10 | - **Event Logging**: Logs incidents and responses for later analysis and auditing.
11 |
12 | ## Getting Started
13 |
14 | ### Installation
15 |
16 | Install Incikit via NuGet Package Manager Console:
17 |
18 | ```bash
19 | Install-Package Incikit
20 | ```
21 |
22 | Or, add it to your .csproj file:
23 | ```xml
24 |
25 | ```
26 |
27 | ## Setup and Configuration
28 |
29 | 1. Initialize Incikit in your application’s startup file (e.g., Startup.cs).
30 | 2. Configure the library with desired incident response actions and integration settings.
31 |
32 | Here’s an example setup in Startup.cs:
33 | ```csharp
34 | // Startup.cs
35 | using Incikit;
36 |
37 | public class Startup
38 | {
39 | public void ConfigureServices(IServiceCollection services)
40 | {
41 | services.AddIncikit(options =>
42 | {
43 | options.EnableAccountLocking = true; // Lock accounts in response to unauthorized access attempts
44 | options.EnableFileQuarantine = true; // Quarantine suspicious files detected in the application
45 | options.NotifyAdminEmail = "admin@example.com"; // Admin email for notifications
46 | options.LogAllIncidents = true; // Enable logging for all incident responses
47 | });
48 | }
49 | }
50 | ```
51 |
52 | ## Usage
53 | Incikit can be integrated with security checks throughout your application to detect and respond to threats automatically.
54 |
55 | ### Example 1: Locking an Account After Suspicious Activity
56 | In this example, an account will be locked if the library detects multiple failed login attempts, which could indicate a brute-force attack.
57 | ```csharp
58 | using Incikit;
59 |
60 | public class AccountService
61 | {
62 | private readonly IIncikit _incikit;
63 |
64 | public AccountService(IIncikit incikit)
65 | {
66 | _incikit = incikit;
67 | }
68 |
69 | public void Login(string username, string password)
70 | {
71 | bool isLoginSuccessful = AuthenticateUser(username, password);
72 |
73 | if (!isLoginSuccessful)
74 | {
75 | _incikit.HandleFailedLoginAttempt(username);
76 | }
77 | }
78 |
79 | private bool AuthenticateUser(string username, string password)
80 | {
81 | // Authentication logic here
82 | return false;
83 | }
84 | }
85 | ```
86 |
87 | ### Example 2: Quarantining a Suspicious File
88 | This example shows how Incikit can quarantine a suspicious file detected in the system, preventing further access until it is reviewed by an admin.
89 | ```csharp
90 | using Incikit;
91 |
92 | public class FileUploadService
93 | {
94 | private readonly IIncikit _incikit;
95 |
96 | public FileUploadService(IIncikit incikit)
97 | {
98 | _incikit = incikit;
99 | }
100 |
101 | public void UploadFile(File file)
102 | {
103 | if (IsFileSuspicious(file))
104 | {
105 | _incikit.QuarantineFile(file);
106 | }
107 | }
108 |
109 | private bool IsFileSuspicious(File file)
110 | {
111 | // Logic to determine if the file is suspicious
112 | return true;
113 | }
114 | }
115 | ```
116 |
117 | ## Example Scenarios
118 | 1. Account Locking: Automatically lock user accounts after a series of failed login attempts.
119 | 2. File Quarantine: Place suspicious files in quarantine for review by administrators.
120 | 3. Administrator Notifications: Notify security administrators immediately when high-priority threats are detected.
121 | 4. Integration with EDR Systems: Connect to existing EDR solutions to trigger specific responses based on real-time threat data.
122 |
123 | ## Contributing
124 | We welcome contributions! Please open an issue or submit a pull request if you have suggestions or improvements.
125 |
126 | ## License
127 | This project is licensed under the MIT License - see the LICENSE file for details.
128 |
129 | ## Contact
130 | For questions or feedback, please contact [menfra@menfra.de].
131 |
132 |
133 |
--------------------------------------------------------------------------------
/icikit.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.8.34330.188
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "icikit", "icikit\icikit.csproj", "{E62D4F6E-693B-430F-8EC6-6A56D3544CD9}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {E62D4F6E-693B-430F-8EC6-6A56D3544CD9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {E62D4F6E-693B-430F-8EC6-6A56D3544CD9}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {E62D4F6E-693B-430F-8EC6-6A56D3544CD9}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {E62D4F6E-693B-430F-8EC6-6A56D3544CD9}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {B6523920-BC2D-4697-80CA-11CF5FAB30FF}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/icikit/AccountService.cs:
--------------------------------------------------------------------------------
1 | public class AccountService
2 | {
3 | private readonly IIncikit _incikit;
4 |
5 | public AccountService(IIncikit incikit)
6 | {
7 | _incikit = incikit;
8 | }
9 |
10 | public void Login(string username, string password)
11 | {
12 | bool isLoginSuccessful = AuthenticateUser(username, password);
13 |
14 | if (!isLoginSuccessful)
15 | {
16 | _incikit.HandleFailedLoginAttempt(username);
17 | }
18 | }
19 |
20 | private bool AuthenticateUser(string username, string password)
21 | {
22 | return false;
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/icikit/FileUploadService.cs:
--------------------------------------------------------------------------------
1 | using System.IO;
2 |
3 | public class FileUploadService
4 | {
5 | private readonly IIncikit _incikit;
6 |
7 | public FileUploadService(IIncikit incikit)
8 | {
9 | _incikit = incikit;
10 | }
11 |
12 | public void UploadFile(FileStream file)
13 | {
14 | if (IsFileSuspicious(file))
15 | {
16 | _incikit.QuarantineFile(file);
17 | }
18 | }
19 |
20 | private bool IsFileSuspicious(FileStream file)
21 | {
22 | // Logic to determine if the file is suspicious
23 | return true;
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/icikit/IIncikit.cs:
--------------------------------------------------------------------------------
1 | using System.IO;
2 |
3 | public interface IIncikit
4 | {
5 | void HandleFailedLoginAttempt(string username);
6 | void QuarantineFile(FileStream file);
7 | }
--------------------------------------------------------------------------------
/icikit/icikit.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | netstandard2.1
5 | enable
6 | Incikit is a C# .NET library for automated incident response, ideal for handling unauthorized access, malicious files, and suspicious account behavior. The library provides customizable actions such as account locking, file quarantine, and administrator notifications, integrating with EDR systems to offer a strong response layer.
7 | IncidentResponse; Security; EDR; Automation; .NET
8 | menfra.icikit
9 | Frank Mensah
10 | Frank Mensah
11 | README.md
12 | 4.0.1
13 | MIT
14 | https://github.com/menfra/icikit-middleware
15 | git
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
--------------------------------------------------------------------------------