Skip to main content
Version: v1.7

Syntax

A minimal detection file is a YAML map with a top‐level detect: key.

Under it, each entry describes one service plan:

# detect.yaml
---
detect:
apache2-file-apache2:
when:
- Systemd.UnitInstalled("apache2.service") or len(Path.Glob("/var/log/apache2/*.log")) > 0
hub_spec:
collections:
- crowdsecurity/apache2
acquisition_spec:
filename: apache2.yaml
datasource:
source: file
filenames:
- /var/log/apache2/*.log
labels:
type: apache2

Fields

when

A list of expression that must return a boolean.

If multiple expressions are provided, they must all return true for the service to be included.

when:
- Host.OS == "linux"
- Systemd.UnitInstalled("<unit>")

You can use any of the helper referenced here.

hub_spec

A map of hub items to install.

Specifying an invalid item type or item will log an error but will not prevent the detection to continue.

hub_spec:
collections:
- crowdsecurity/linux
parsers:
- crowdsecurity/nginx-logs
scenarios:
- crowdsecurity/http-bf

acquisition_spec

This item defines the acquisition that will be written to disk

acquisition_spec:
filename: foobar.yaml
datasource:
source: docker
container_name: foo
labels:
type: bar

The filename attribute will be used to generate the name of file in the form of acquis.d/setup.<filename>.yaml.

The content of datasource will be validated (syntax, required fields depending on the datasource configured) and be written as-is to the file.

Examples

Basic OS / Hub only:

detect:
linux:
when:
- Host.OS == "linux"
hub_spec:
collections:
- crowdsecurity/linux

journalctl source with a filter:

detect:
caddy-journal:
when:
- Systemd.UnitInstalled("caddy.service")
- len(Path.Glob("/var/log/caddy/*.log")) == 0
hub_spec:
collections:
- crowdsecurity/caddy
acquisition_spec:
filename: caddy.yaml
datasource:
source: journalctl
labels:
type: caddy
journalctl_filter:
- "_SYSTEMD_UNIT=caddy.service"

Windows event log:

detect:
windows_auth:
when:
- Host.OS == "windows"
hub_spec:
collections:
- crowdsecurity/windows
acquisition_spec:
filename: windows_auth.yaml
datasource:
source: wineventlog
event_channel: Security
event_ids:
- 4625
- 4623
event_level: information
labels:
type: eventlog