Added a blog post describing Sigma in Velociraptor (#4)

Velocidex · Nov 5, 2023 · 77927d1 · 77927d1
1 parent 3adda7c
commit 77927d1
Show file tree

Hide file tree

Showing 22 changed files with 627 additions and 11 deletions.
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
@@ -30,8 +30,8 @@ jobs:
       - name: Prepare
         run: |
           make linux
-          cd hayabusa/ && ../velosigmac compile --config ../config/windows_hayabusa_rules.yaml --output ../output/Velociraptor-Hayabusa-Rules.zip ; cd -
-          cd hayabusa/ && ../velosigmac compile --config ../config/windows_hayabusa_event_monitoring.yaml --output ../output/Velociraptor-Hayabusa-Monitoring.zip ; cd -
+          ./velosigmac compile --config ./config/windows_hayabusa_rules.yaml --output ./output/Velociraptor-Hayabusa-Rules.zip ; cd .
+          ./velosigmac compile --config ./config/windows_hayabusa_event_monitoring.yaml --output ./output/Velociraptor-Hayabusa-Monitoring.zip ; cd .
           cp output/*.zip docs/static/
 
       - name: Build

diff --git a/.github/workflows/spellchecker.yml b/.github/workflows/spellchecker.yml
@@ -0,0 +1,18 @@
+name: Spellcheck Action
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  build:
+    name: Spellcheck
+    runs-on: ubuntu-latest
+    steps:
+      # The checkout step
+      - uses: actions/checkout@master
+      - uses: rojopolis/spellcheck-github-actions@0.27.0
+        name: Spellcheck
+        with:
+          config_path: .pyspelling.yml
diff --git a/.pyspelling.yml b/.pyspelling.yml
@@ -0,0 +1,41 @@
+matrix:
+- name: Markdown
+  aspell:
+    lang: en
+    d: en_US
+  dictionary:
+    wordlists:
+      - .wordlist.txt
+    output: .wordlist.dict
+  sources:
+  - 'docs/content/**/*.md'
+  pipeline:
+    - pyspelling.filters.context:
+        context_visible_first: true
+        escapes: '\\[\\`]'
+        delimiters:
+          # Ignore multiline content between fences (fences can have 3 or more back ticks)
+          # ```
+          # content
+          # ```
+          - open: '(?s)^(?P<open> *`{3,})'
+            close: '^(?P=open)$'
+            # Insides of URL links
+          - open: '\]\('
+            close: '\)'
+            # Bolded words are usually terms
+          - open: '[*]+'
+            close: '[*]+'
+            # Inside HTML tags
+          - open: '(?s)(?P<open>[<])'
+            close: '[>]'
+            # Ignore text between inline back ticks
+          - open: '(?P<open>`+)'
+            close: '(?P=open)'
+
+            # Inside yaml headers
+          - open: '(?s)^(?P<open>---)$'
+            close: '^(?P=open)$'
+
+    - pyspelling.filters.markdown:
+    - pyspelling.filters.url:
diff --git a/.wordlist.dict b/.wordlist.dict
diff --git a/.wordlist.txt b/.wordlist.txt
@@ -0,0 +1,39 @@
+<url-free> docs/content/_index.md
+--------------------------------------------------------------------------------
+Velociraptor
+--------------------------------------------------------------------------------
+
+Misspelled words:
+<url-free> docs/content/docs/sigma_in_velociraptor/_index.md
+--------------------------------------------------------------------------------
+Capuano
+ECS
+ETW
+EVTX
+Gb
+Hayabusa
+MSDN
+SIEM
+SIEMs
+Splunk
+Sysmon
+VQL
+Velociraptor
+Velociraptor's
+backend
+backend's
+backends
+br
+config
+detections
+executables
+li
+mb
+ol
+responders
+ruleset
+scalable
+schemas
+taskscheduler
+ul
+natively
diff --git a/Makefile b/Makefile
@@ -9,4 +9,5 @@ windows:
 	GOOS=windows GOARCH=amd64 go build -o velosigmac.exe ./src/*.go
 
 compile:
-	cd hayabusa/ && go run ../src/ compile --config ../config/windows_hayabusa_rules.yaml --output ../output/Velociraptor-Hayabusa-Rules.zip
+	./velosigmac compile --config ./config/windows_hayabusa_rules.yaml --output ./output/Velociraptor-Hayabusa-Rules.zip
+	./velosigmac compile --config ./config/windows_hayabusa_event_monitoring.yaml --output ./output/Velociraptor-Hayabusa-Monitoring.zip
diff --git a/config/windows_hayabusa_event_monitoring.yaml b/config/windows_hayabusa_event_monitoring.yaml
@@ -702,7 +702,7 @@ BaseReferenceURL:
   https://github.com/Yamato-Security/hayabusa-rules/tree/main/
 
 RuleDirectories:
-  - hayabusa/builtin/
-  - hayabusa/sysmon/
-  - sigma/builtin/
-  - sigma/builtin/sysmon
+  - hayabusa/hayabusa/builtin/
+  - hayabusa/hayabusa/sysmon/
+  - hayabusa/sigma/builtin/
+  - hayabusa/sigma/builtin/sysmon
diff --git a/config/windows_hayabusa_rules.yaml b/config/windows_hayabusa_rules.yaml
@@ -267,6 +267,7 @@ FieldMappings:
   TaskDate: "x=>x.EventData.TaskContent"
   TaskName: "x=>x.EventData.TaskName"
   TemplateContent: "x=>x.EventData.TemplateContent"
+  Timestamp: "x=>x.System.TimeCreated.SystemTime"
   ThreatName: "x=>x.EventData.`Threat Name`"
   TicketEncryptionType: "x=>x.EventData.TicketEncryptionType"
   TicketOptions: "x=>x.EventData.TicketOptions"
@@ -701,7 +702,7 @@ BaseReferenceURL:
   https://github.com/Yamato-Security/hayabusa-rules/tree/main/
 
 RuleDirectories:
-  - hayabusa/builtin/
-  - hayabusa/sysmon/
-  - sigma/builtin/
-  - sigma/builtin/sysmon
+  - hayabusa/hayabusa/builtin/
+  - hayabusa/hayabusa/sysmon/
+  - hayabusa/sigma/builtin/
+  - hayabusa/sigma/builtin/sysmon
diff --git a/docs/content/_index.md b/docs/content/_index.md
@@ -4,3 +4,5 @@ date: 2023-10-15T00:14:44+10:00
 ---
 
 # The Velociraptor Sigma Rules Repository
+
+This repository contains curated Sigma Rules to be used by the [Velociraptor Endpoint visibility tool](https://docs.velociraptor.app).
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,3 +4,5 @@ date: 2023-10-15T00:14:44+10:00
		---

		# The Velociraptor Sigma Rules Repository

		This repository contains curated Sigma Rules to be used by the [Velociraptor Endpoint visibility tool](https://docs.velociraptor.app).