Add aliases to artifact references (#1004)

Author: scudette

content/artifact_references/pages/elastic.events.clients.md

@@ -4,23 +4,28 @@ hidden: true
 tags: [Server Event Artifact]
 ---
 
-This server monitoring artifact will watch a selection of client
-monitoring artifacts for new events and push those to an elastic
-index.
+This server monitoring artifact will watch a selection of client or
+server monitoring artifacts for new events and push those to an
+elastic index.
 
 NOTE: You must ensure you are collecting these artifacts from the
-clients by adding them to the "Client Events" GUI.
+clients by adding them to the "Client Events" GUI, or for server
+artifacts, the "Server Events" GUI.
 
 
-```yaml
-name: Elastic.Events.Clients
+<pre><code class="language-yaml">
+name: Elastic.Events.Upload
+aliases:
+- Elastic.Events.Clients
+
 description: |
-  This server monitoring artifact will watch a selection of client
-  monitoring artifacts for new events and push those to an elastic
-  index.
+  This server monitoring artifact will watch a selection of client or
+  server monitoring artifacts for new events and push those to an
+  elastic index.
 
   NOTE: You must ensure you are collecting these artifacts from the
-  clients by adding them to the "Client Events" GUI.
+  clients by adding them to the "Client Events" GUI, or for server
+  artifacts, the "Server Events" GUI.
 
 type: SERVER_EVENT
 
@@ -30,14 +35,20 @@ parameters:
   - name: Username
   - name: Password
   - name: APIKey
-  - name: artifactsToWatch
+  - name: ClientArtifactsToWatch
     type: artifactset
     artifact_type: CLIENT_EVENT
     default: |
       Artifact
       Windows.Detection.PsexecService
       Windows.Events.ProcessCreation
       Windows.Events.ServiceCreation
+  - name: ServerArtifactsToWatch
+    type: artifactset
+    artifact_type: SERVER_EVENT
+    default: |
+      Artifact
+      Server.Audit.Logs
   - name: DisableSSLSecurity
     type: bool
     description: Disable SSL certificate verification
@@ -56,17 +67,21 @@ parameters:
 
 sources:
   - query: |
-      LET artifacts_to_watch = SELECT Artifact
-        FROM artifactsToWatch
-        WHERE log(message="Uploading artifact " + Artifact + " to Elastic")
+      LET artifacts_to_watch = SELECT * FROM chain(
+        a={SELECT Artifact FROM ClientArtifactsToWatch},
+        b={SELECT Artifact FROM ServerArtifactsToWatch})
+      WHERE NOT Artifact =~ "Elastic.Events.Upload"
+        AND log(message="Uploading artifact " + Artifact + " to Elastic")
+
+      LET s = scope()
 
       LET events = SELECT * FROM foreach(
           row=artifacts_to_watch,
           async=TRUE,   // Required for event queries in foreach()
           query={
              SELECT *, "Artifact_" + Artifact as _index,
                     Artifact,
-                    client_info(client_id=ClientId).os_info.hostname AS Hostname,
+                    client_info(client_id=s.ClientId || "server").os_info.hostname AS Hostname,
                     timestamp(epoch=now()) AS timestamp
              FROM watch_monitoring(artifact=Artifact)
           })
@@ -85,4 +100,5 @@ sources:
           disable_ssl_security=DisableSSLSecurity,
           type="ClientEvents")
 
-```
+</code></pre>
+

content/artifact_references/pages/linux.detection.yara.glob.md

@@ -0,0 +1,193 @@
+---
+title: Linux.Detection.Yara.Glob
+hidden: true
+tags: [Client Artifact]
+---
+
+This artifact returns a list of target files then runs Yara over the target
+list.
+
+There are 2 kinds of Yara rules that can be deployed:
+
+1. Url link to a yara rule.
+2. or a Standard Yara rule attached as a parameter.
+
+Only one method of Yara will be applied and search order is as above.
+
+The artifact leverages Glob for search so relevant filters can be applied
+including Glob, Size and date. Date filters will target files with a timestamp
+before LatestTime and after EarliestTime. The artifact also has an option to
+upload any files with Yara hits.
+
+Some examples of path glob may include:
+
+* Specific binary: `/usr/bin/ls`
+* Wildcards: `/var/www/*.js`
+* More wildcards: `/var/www/**/*.js`
+* Multiple extentions: `/var/www/*\.{php,aspx,js,html}`
+* Windows: `C:/Users/**/*.{exe,dll,ps1,bat}`
+* Windows: `C:\Users\**\*.{exe,dll,ps1,bat}`
+
+NOTE: this artifact runs the glob plugin with the nosymlink switch turned on.
+This will NOT follow any symlinks and may cause unexpected results if
+unknowingly targeting a folder with symlinks.
+If upload is selected NumberOfHits is redundant and not advised as hits are
+grouped by path to ensure files only downloaded once.
+
+
+<pre><code class="language-yaml">
+name: Generic.Detection.Yara.Glob
+author: Matt Green - @mgreen27
+description: |
+  This artifact returns a list of target files then runs Yara over the target
+  list.
+
+  There are 2 kinds of Yara rules that can be deployed:
+
+  1. Url link to a yara rule.
+  2. or a Standard Yara rule attached as a parameter.
+
+  Only one method of Yara will be applied and search order is as above.
+
+  The artifact leverages Glob for search so relevant filters can be applied
+  including Glob, Size and date. Date filters will target files with a timestamp
+  before LatestTime and after EarliestTime. The artifact also has an option to
+  upload any files with Yara hits.
+
+  Some examples of path glob may include:
+
+  * Specific binary: `/usr/bin/ls`
+  * Wildcards: `/var/www/*.js`
+  * More wildcards: `/var/www/**/*.js`
+  * Multiple extentions: `/var/www/*\.{php,aspx,js,html}`
+  * Windows: `C:/Users/**/*.{exe,dll,ps1,bat}`
+  * Windows: `C:\Users\**\*.{exe,dll,ps1,bat}`
+
+  NOTE: this artifact runs the glob plugin with the nosymlink switch turned on.
+  This will NOT follow any symlinks and may cause unexpected results if
+  unknowingly targeting a folder with symlinks.
+  If upload is selected NumberOfHits is redundant and not advised as hits are
+  grouped by path to ensure files only downloaded once.
+
+aliases:
+  - Windows.Detection.Yara.Glob
+  - Linux.Detection.Yara.Glob
+  - MacOS.Detection.Yara.Glob
+
+type: CLIENT
+parameters:
+  - name: PathGlob
+    description: Only file names that match this glob will be scanned.
+    default: /usr/bin/ls
+  - name: SizeMax
+    description: maximum size of target file.
+    type: int64
+  - name: SizeMin
+    description: minimum size of target file.
+    type: int64
+  - name: UploadHits
+    type: bool
+  - name: DateAfter
+    type: timestamp
+    description: "search for events after this date. YYYY-MM-DDTmm:hh:ssZ"
+  - name: DateBefore
+    type: timestamp
+    description: "search for events before this date. YYYY-MM-DDTmm:hh:ssZ"
+  - name: YaraUrl
+    description: If configured will attempt to download Yara rules form Url
+    type: upload
+  - name: YaraRule
+    type: yara
+    description: Final Yara option and the default if no other options provided.
+    default: |
+        rule IsELF:TestRule {
+           meta:
+              author = "the internet"
+              date = "2021-05-03"
+              description = "A simple ELF rule to test yara features"
+          condition:
+             uint32(0) == 0x464c457f
+        }
+  - name: NumberOfHits
+    description: This artifact will stop by default at one hit. This setting allows additional hits
+    default: 1
+    type: int
+  - name: ContextBytes
+    description: Include this amount of bytes around hit as context.
+    default: 0
+    type: int
+
+sources:
+  - query: |
+      -- check which Yara to use
+      LET yara_rules &lt;= YaraUrl || YaraRule
+
+      -- time testing
+      LET time_test(stamp) =
+            if(condition= DateBefore AND DateAfter,
+                then= stamp &lt; DateBefore AND stamp &gt; DateAfter,
+                else=
+            if(condition=DateBefore,
+                then= stamp &lt; DateBefore,
+                else=
+            if(condition= DateAfter,
+                then= stamp &gt; DateAfter,
+                else= True
+            )))
+
+      -- first find all matching glob
+      LET files = SELECT OSPath, Name, Size, Mtime, Atime, Ctime, Btime
+        FROM glob(globs=PathGlob,nosymlink='True')
+        WHERE
+          NOT IsDir AND NOT IsLink
+          AND if(condition=SizeMin,
+            then= SizeMin &lt; Size,
+            else= True)
+          AND if(condition=SizeMax,
+            then=SizeMax &gt; Size,
+            else= True)
+          AND
+             ( time_test(stamp=Mtime)
+            OR time_test(stamp=Atime)
+            OR time_test(stamp=Ctime)
+            OR time_test(stamp=Btime))
+
+      -- scan files and prepare hit metadata
+      LET hits = SELECT * FROM foreach(row=files,
+            query={
+                SELECT
+                    OSPath,
+                    File.Size as Size,
+                    Mtime, Atime, Ctime, Btime,
+                    Rule, Tags, Meta,
+                    String.Name as YaraString,
+                    String.Offset as HitOffset,
+                    upload( accessor='scope',
+                            file='String.Data',
+                            name=format(format="%v-%v-%v",
+                            args=[
+                                OSPath,
+                                if(condition= String.Offset - ContextBytes &lt; 0,
+                                    then= 0,
+                                    else= String.Offset - ContextBytes),
+                                if(condition= String.Offset + ContextBytes &gt; Size,
+                                    then= Size,
+                                    else= String.Offset + ContextBytes) ]
+                            )) as HitContext
+                FROM yara(rules=yara_rules,files=OSPath,
+                  context=ContextBytes,number=NumberOfHits)
+            })
+
+      -- upload files if selected
+      LET upload_hits = SELECT *, upload(file=OSPath,name=OSPath) as Upload FROM hits
+
+      -- return rows
+      SELECT * FROM if(condition= UploadHits,
+                        then= upload_hits,
+                        else= hits )
+
+column_types:
+  - name: HitContext
+    type: preview_upload
+</code></pre>
+