Skip to main content
Version: v1.7

Syntax

A minimal detection file is a YAML map with a top‐level detect: key.

Under it, each entry describes one service plan:

# detect.yaml
---
detect:
  apache2-file-apache2:
    when:
      - Systemd.UnitInstalled("apache2.service") or len(Path.Glob("/var/log/apache2/*.log")) > 0
    hub_spec:
      collections:
        - crowdsecurity/apache2
    acquisition_spec:
      filename: apache2.yaml
      datasource:
        source: file
        filenames:
          - /var/log/apache2/*.log
        labels:
          type: apache2

Fields

when

A list of expression that must return a boolean.

If multiple expressions are provided, they must all return true for the service to be included.

when:
 - Host.OS == "linux"
 - Systemd.UnitInstalled("<unit>")

You can use any of the helper referenced here.

hub_spec

A map of hub items to install.

Specifying an invalid item type or item will log an error but will not prevent the detection to continue.

hub_spec:
 collections:
  - crowdsecurity/linux
 parsers:
  - crowdsecurity/nginx-logs
 scenarios:
  - crowdsecurity/http-bf

acquisition_spec

This item defines the acquisition that will be written to disk

acquisition_spec:
 filename: foobar.yaml
 datasource:
  source: docker
  container_name: foo
  labels:
   type: bar

The filename attribute will be used to generate the name of file in the form of acquis.d/setup.<filename>.yaml.

The content of datasource will be validated (syntax, required fields depending on the datasource configured) and be written as-is to the file.

Examples

Basic OS / Hub only:

detect:
  linux:
    when:
      - Host.OS == "linux"
    hub_spec:
      collections:
        - crowdsecurity/linux

journalctl source with a filter:

detect:
  caddy-journal:
    when:
      - Systemd.UnitInstalled("caddy.service")
      - len(Path.Glob("/var/log/caddy/*.log")) == 0
    hub_spec:
      collections:
       - crowdsecurity/caddy
    acquisition_spec:
      filename: caddy.yaml
      datasource:
        source: journalctl
        labels:
         type: caddy
        journalctl_filter:
          - "_SYSTEMD_UNIT=caddy.service"

Windows event log:

detect:
  windows_auth:
    when:
     - Host.OS == "windows"
    hub_spec:
      collections: 
       - crowdsecurity/windows
    acquisition_spec:
      filename: windows_auth.yaml
      datasource:
        source: wineventlog
        event_channel: Security
        event_ids: 
         - 4625
         - 4623
        event_level: information
        labels: 
         type: eventlog