Skip to content

Commit

Permalink
Update docs (again)
Browse files Browse the repository at this point in the history
  • Loading branch information
wagga40 committed Dec 2, 2023
1 parent 05d649b commit 2131569
Show file tree
Hide file tree
Showing 5 changed files with 7 additions and 6 deletions.
8 changes: 4 additions & 4 deletions docs/Advanced.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ Examples :

### Rule filters

Some rules can be noisy or slow on specific datasets (check [here](rules/Readme.md)) so it is possible to skip them by using the `-R` or `--rulefilter` argument. This argument can be used multiple times.
Some rules can be noisy or slow on specific datasets (check [here](https://github.com/wagga40/Zircolite/tree/master/rules/README.md)) so it is possible to skip them by using the `-R` or `--rulefilter` argument. This argument can be used multiple times.

The filter will apply on the rule title. Since there is a CRC32 in the rule title it is easier to use it. For example, to skip execution of the rule "Suspicious Eventlog Clear or Configuration Using Wevtutil - BFFA7F72" :

Expand Down Expand Up @@ -168,7 +168,7 @@ If you have multiple endpoints to scan, it is useful to send the detected events
python3 zircolite.py --evtx sample.evtx --ruleset rules/rules_windows_sysmon.json \
--remote "http://address:port/uri"
```
An **example** server called is available in the [tools](../tools/zircolite_server/) directory.
An **example** server called is available in the [tools](https://github.com/wagga40/Zircolite/tree/master/tools/zircolite_server/) directory.

### Forward events to a Splunk instance via HEC

Expand Down Expand Up @@ -213,7 +213,7 @@ Zircolite is able to forward all events and not just the detected events to Splu

## Templating and Formatting

Zircolite provides a templating system based on Jinja 2. It allows you to change the output format to suits your needs (Splunk or ELK integration, Grep-able output...). There are some templates available in the [Templates directory](../templates) of the repository : Splunk, Timesketch, ... To use the template system, use these arguments :
Zircolite provides a templating system based on Jinja 2. It allows you to change the output format to suits your needs (Splunk or ELK integration, Grep-able output...). There are some templates available in the [Templates directory](https://github.com/wagga40/Zircolite/tree/master/templates) of the repository : Splunk, Timesketch, ... To use the template system, use these arguments :

- `--template <template_filename>`
- `--templateOutput <output_filename>`
Expand All @@ -238,7 +238,7 @@ As of Zircolite 2.1.0, the easier way to use the Mini-GUI is to generate a packa

### Manual generation

You need to generate a `data.js` file with the `exportForZircoGui.tmpl` template, decompress the zircogui.zip file in the [gui](gui/) directory and replace the `data.js` file in it with yours :
You need to generate a `data.js` file with the `exportForZircoGui.tmpl` template, decompress the zircogui.zip file in the [gui](https://github.com/wagga40/Zircolite/tree/master/gui/) directory and replace the `data.js` file in it with yours :

```shell
python3 zircolite.py --evtx sample.evtx
Expand Down
2 changes: 1 addition & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,6 @@
- **Zircolite** can be used directly on the investigated endpoint or in your forensic/detection lab
- **Zircolite** is relatively fast and can parse large datasets in just seconds
- **Zircolite** is based on a Sigma backend (SQLite) and do not use internal sigma to "something" conversion
- **Zircolite** can export results to multiple format with using Jinja [templates](templates) : JSON, CSV, JSONL, Splunk, Elastic, Zinc, Timesketch...
- **Zircolite** can export results to multiple format with using Jinja : JSON, CSV, JSONL, Splunk, Elastic, Zinc, Timesketch...

**Zircolite can be used directly in Python or you can use the binaries provided in [releases](https://github.com/wagga40/Zircolite/releases).**
2 changes: 1 addition & 1 deletion docs/Usage.md
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ If you need to re-execute Zircolite, you can do it directly using the SQLite da

## Field mappings, field exclusions, value exclusions, field aliases and field splitting

Sometimes your logs need some transformations to allow your rules to match against them. Zircolite has multiple mechanisms for this. The configuration of these mechanisms is provided by a file that can be found in the [config](../config/) directory of the repository. It is also possible to provide your own configuration woth the `--config` or `-c` options.
Sometimes your logs need some transformations to allow your rules to match against them. Zircolite has multiple mechanisms for this. The configuration of these mechanisms is provided by a file that can be found in the [config](https://github.com/wagga40/Zircolite/tree/master/config/) directory of the repository. It is also possible to provide your own configuration woth the `--config` or `-c` options.

The configuration file has the following structure :

Expand Down
Binary file modified docs/Zircolite_manual.pdf
Binary file not shown.
1 change: 1 addition & 0 deletions docs/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
<script>
window.$docsify = {
name: 'Zircolite',
repo: 'wagga40/Zircolite',
auto2top: true,
loadSidebar: true
}
Expand Down

0 comments on commit 2131569

Please sign in to comment.