DFIR detection by code. A repository of code based detection for use within DFIR2Go
- Quick summary
- Version
- Learn Markdown
This repo is intented to work alongside DFIR2Go. It should be cloned into a folder named ibis-as-code at the same folder level as DFIR2Go. The DFIR2Go stack will automatically map into this set of folders.
Before starting, ensure you have created an App password that has read access to the repos.
-
Clone repo at the same level as DFIR2Go
git clone [[ibis-as-code URL]]
-
Enjoy a coffee / tea / hot chocolate / mineral water
It is important that this repo maintains the correct folder structure as it is mapped into by DFIR2Go. Here is an overview of what to place into each folder.
Files contained within this folder should be Jupyter notebooks or python files that are written and maintained in VS Code Server.
For files exported (or to be imported) into OpenSearch. This can include
- Index Patterns
- Visualisations
- Dashboards
- Notebooks
For files mapped to Velociraptor. This folder is likely to contain subfolders for different types of code within Velociraptor.
- artifact_definitions - Contains custom Velociraptor Artifacts.
Data can be stored in other folders (such as a sigma folder, or similar), however when creating new folders, please keep in mind how they may need to interact with DFIR2Go. If in doubt, have a chat to the contacts below.
The entire folder can be managed via code-server as it comes pre-configured with GIT installed.
- Dean B