Skip to content

Commit

Permalink
Reworked development for using GitHub pages instead of one monolithic…
Browse files Browse the repository at this point in the history 
… README file

Squashed commit of the following:

commit 76f4508
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 22:56:54 2022 -0600

    fix hedgehog images

commit 5758e6f
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 22:54:28 2022 -0600

    fix hedgehog images

commit c576497
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 22:45:13 2022 -0600

    experimenting with github pages

commit 5029669
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 22:40:07 2022 -0600

    experimenting with github pages

commit b85fec2
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 22:33:07 2022 -0600

    experimenting with github pages

commit 061d2ac
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 22:29:05 2022 -0600

    experimenting with github pages

commit 3b5e26a
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 22:18:37 2022 -0600

    experimenting with github pages

commit 3f20469
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 22:07:39 2022 -0600

    experimenting with github pages

commit ce521e7
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 21:52:45 2022 -0600

    experimenting with github pages

commit 811a35d
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 21:37:30 2022 -0600

    experimenting with github pages

commit e6f4471
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 21:32:15 2022 -0600

    experimenting with github pages

commit f70fd95
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 21:23:37 2022 -0600

    experimenting with github pages

commit 48752eb
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 16:01:51 2022 -0600

    experimenting with github pages

commit 6230783
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 16:00:35 2022 -0600

    experimenting with github pages

commit 6321f68
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:55:58 2022 -0600

    experimenting with github pages

commit 74a8e8e
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:51:52 2022 -0600

    experimenting with github pages

commit 216aed2
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:50:52 2022 -0600

    experimenting with github pages

commit 7fa1e76
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:49:01 2022 -0600

    experimenting with github pages

commit 1c72362
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:47:31 2022 -0600

    experimenting with github pages

commit 6ccf841
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:45:06 2022 -0600

    experimenting with github pages

commit adc6360
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:42:42 2022 -0600

    experimenting with github pages

commit 25964a8
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:35:02 2022 -0600

    experimenting with github pages

commit c43e2ac
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:21:01 2022 -0600

    experimenting with github pages

commit 9871deb
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:19:24 2022 -0600

    experimenting with github pages

commit 760a1f9
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:16:40 2022 -0600

    experimenting with github pages

commit 6ae5032
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:11:46 2022 -0600

    experimenting with github pages

commit 0ea9c94
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:08:57 2022 -0600

    experimenting with github pages

commit b95b060
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:05:54 2022 -0600

    experimenting with github pages

commit 3195c4e
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:04:48 2022 -0600

    experimenting with github pages

commit a07bc5e
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 15:02:25 2022 -0600

    experimenting with github pages

commit d77099f
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:59:06 2022 -0600

    experimenting with github pages

commit 18f4647
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:57:31 2022 -0600

    experimenting with github pages

commit 7a08476
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:52:19 2022 -0600

    experimenting with github pages

commit acf2a6d
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:47:56 2022 -0600

    experimenting with github pages

commit 26029bc
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:46:35 2022 -0600

    experimenting with github pages

commit 60cdab0
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:42:13 2022 -0600

    experimenting with github pages

commit 39e88b6
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:41:13 2022 -0600

    experimenting with github pages

commit 651acd3
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:39:38 2022 -0600

    experimenting with github pages

commit df96e0e
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:36:26 2022 -0600

    experimenting with github pages

commit 5016081
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:22:46 2022 -0600

    experimenting with github pages

commit f1bff36
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:21:24 2022 -0600

    experimenting with github pages

commit 0e0d9f0
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:18:34 2022 -0600

    experimenting with github pages

commit e170422
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:03:54 2022 -0600

    experimenting with github pages

commit 63de7bb
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 14:00:54 2022 -0600

    Revert "experimenting with github pages"

    This reverts commit f43a4aa.

commit f43a4aa
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 13:59:10 2022 -0600

    experimenting with github pages

commit b9925dc
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 13:38:46 2022 -0600

    experimenting with github pages

commit 41528fb
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 13:34:51 2022 -0600

    experimenting with github pages

commit efd3c88
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 13:32:01 2022 -0600

    experimenting with github pages

commit e0f4466
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 13:30:37 2022 -0600

    experimenting with github pages

commit 8b8d469
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 13:28:06 2022 -0600

    experimenting with github pages

commit 9c00ea2
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 13:21:43 2022 -0600

    experimenting with github pages

commit 1a0df24
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 13:16:25 2022 -0600

    experimenting with github pages

commit b7ae1d2
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 12:54:49 2022 -0600

    basic config

commit 208ef01
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 12:53:30 2022 -0600

    experimenting with jekyll

commit 8aea3e2
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 12:43:41 2022 -0600

    links work in progress

commit 1605844
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 12:37:25 2022 -0600

    Added github pages config

commit 599eb83
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 12:25:14 2022 -0600

    Added github pages config

commit 73754a4
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 12:18:58 2022 -0600

    documentation links work in progress

commit 03012af
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 12:18:19 2022 -0600

    documentation links work in progress

commit 3b8cd74
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 12:00:57 2022 -0600

    documentation links work in progress

commit 7b13fa7
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 11:59:20 2022 -0600

    documentation links work in progress

commit 52df01b
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 11:54:45 2022 -0600

    documentation links work in progress

commit b7ac174
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 11:02:37 2022 -0600

    testing relative links

commit 952936d
Author: Seth Grover <[email protected]>
Date:   Thu Sep 22 10:47:47 2022 -0600

    split all the .md documentation into different files
  • Loading branch information
@mmguero
mmguero committed Sep 23, 2022
1 parent 6a7003a commit 568da6c
Show file tree
Hide file tree
Showing 230 changed files with 5,348 additions and 5,557 deletions.
4,055 changes: 6 additions & 4,049 deletions README.md
View file

Large diffs are not rendered by default.

33 changes: 33 additions & 0 deletions _config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
title: Malcolm
description: A powerful, easily deployable network traffic analysis tool suite
logo: docs/images/logo/Malcolm_outline_banner_dark.png
remote_theme: pages-themes/[email protected]
external_download_url: https://malcolm.fyi/download/
youtube_url: https://www.youtube.com/c/MalcolmNetworkTrafficAnalysisToolSuite
docs_uri: docs/
alerting_docs_uri: docs/alerting.html
anomaly_detection_docs_uri: docs/anomaly-detection.html
api_docs_uri: docs/api.html
arkime_docs_uri: docs/arkime.html
components_docs_uri: docs/components.html
configuring_docs_uri: docs/malcolm-preparation.html
contributing_docs_uri: docs/contributing-guide.html
dashboards_docs_uri: docs/dashboards.html
hardening_docs_uri: docs/hardening.html
hedgehog_docs_uri: docs/hedgehog.html
live_analysis_docs_uri: docs/live-analysis.html
protocols_docs_uri: docs/protocols.html
queries_docs_uri: docs/queries-cheat-sheet.html
quickstart_docs_uri: docs/quickstart.html
severity_docs_uri: docs/severity.html
thirdparty_logs_docs_uri: docs/third-party-logs.html
upload_docs_uri: docs/upload.html
github:
owner_name: Seth Grover
plugins:
- jekyll-remote-theme
- jekyll-relative-links
show_downloads: true
relative_links:
enabled: true
collections: true
1 change: 1 addition & 0 deletions _includes/head-custom.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<link rel="shortcut icon" type="image/x-icon" href="{{ 'docs/images/favicon/favicon.ico' | relative_url }}" />
98 changes: 98 additions & 0 deletions _layouts/default.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
<!DOCTYPE html>
<html lang="{{ site.lang | default: "en-US" }}">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">

{% seo %}
<link rel="stylesheet" href="{{ "/assets/css/style.css?v=" | append: site.github.build_revision | relative_url }}">
<!--[if lt IE 9]>
<script src="https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js"></script>
<![endif]-->
<script src="https://use.fontawesome.com/285a5794ed.js"></script>
{% include head-custom.html %}
</head>
<body>
<div class="wrapper">
<header>
{% if site.logo %}
<a href="{{ "/" | absolute_url }}"><img src="{{site.logo | relative_url}}" alt="Logo" /></a>
{% else %}
<h1><a href="{{ "/" | absolute_url }}">{{ site.title | default: site.github.repository_name }}</a></h1>
{% endif %}

<p>{{ site.description | default: site.github.project_tagline }}</p>

<p class="view"><i class="fa fa-fighter-jet" aria-hidden="true"></i> <a href="{{ site.quickstart_docs_uri | default: /docs/ | relative_url }}">Quick Start</a></p>

<p class="view"><i class="fa fa-book" aria-hidden="true"></i> <a href="{{ site.docs_uri | default: /docs/ | relative_url }}">Documentation</a></p>

<p class="view"><i class="fa fa-puzzle-piece" aria-hidden="true"></i> <a href="{{ site.components_docs_uri | default: /docs/ | relative_url }}">Components</a></p>

<p class="view"><i class="fa fa-map-signs" aria-hidden="true"></i> <a href="{{ site.protocols_docs_uri | default: /docs/ | relative_url }}">Supported Protocols</a></p>

<p class="view"><i class="fa fa-sliders" aria-hidden="true"></i> <a href="{{ site.configuring_docs_uri | default: /docs/ | relative_url }}">Configuring</a></p>

<p class="view"><i class="fa fa-table" aria-hidden="true"></i> <a href="{{ site.arkime_docs_uri | default: /docs/ | relative_url }}">Arkime</a></p>

<p class="view"><i class="fa fa-tachometer" aria-hidden="true"></i> <a href="{{ site.dashboards_docs_uri | default: /docs/ | relative_url }}">Dashboards</a></p>

<p class="view"><i class="fa fa-plug" aria-hidden="true"></i> <a href="{{ site.api_docs_uri | default: /docs/ | relative_url }}">API</a></p>

<p class="view"><i class="fa fa-shield" aria-hidden="true"></i> <a href="{{ site.hardening_docs_uri | default: /docs/ | relative_url }}">Hardening</a></p>

<p class="view"><i class="fa fa-server" aria-hidden="true"></i> <a href="{{ site.hedgehog_docs_uri | default: /docs/ | relative_url }}">Hedgehog Linux</a></p>

<p class="view"><i class="fa fa-handshake-o" aria-hidden="true"></i> <a href="{{ site.contributing_docs_uri | default: /docs/ | relative_url }}">Contribution Guide</a></p>

<!--
<p class="view"><i class="fa fa-upload" aria-hidden="true"></i> <a href="{{ site.upload_docs_uri | default: /docs/ | relative_url }}">PCAP Upload</a></p>
<p class="view"><i class="fa fa-eye" aria-hidden="true"></i> <a href="{{ site.live_analysis_docs_uri | default: /docs/ | relative_url }}">Live Traffic Analysis</a></p>
<p class="view"><i class="fa fa fa-share-alt" aria-hidden="true"></i> <a href="{{ site.thirdparty_logs_docs_uri | default: /docs/ | relative_url }}">Third Party Logs</a></p>
<p class="view"><i class="fa fa-search" aria-hidden="true"></i> <a href="{{ site.queries_docs_uri | default: /docs/ | relative_url }}">Queries</a></p>
<p class="view"><i class="fa fa-bell" aria-hidden="true"></i> <a href="{{ site.alerting_docs_uri | default: /docs/ | relative_url }}">Alerting</a></p>
<p class="view"><i class="fa fa-area-chart" aria-hidden="true"></i> <a href="{{ site.anomaly_detection_docs_uri | default: /docs/ | relative_url }}">Anomaly Detection</a></p>
<p class="view"><i class="fa fa-exclamation-triangle" aria-hidden="true"></i> <a href="{{ site.severity_docs_uri | default: /docs/ | relative_url }}">Severity Scoring</a></p>
-->

</header>
<section>
{{ content }}

</section>
<footer>
{% if site.show_downloads %}
<ul class="downloads">
<li><a href="{{ site.github.repository_url }}/releases">GitHub <strong>Releases</strong></a></li>
<li><a href="{{ site.github.tar_url }}">Source <strong>.tgz</strong></a></li>
<li><a href="{{ site.external_download_url | default: site.github.repository_url }}">Download <strong>ISOs</strong></a></li>
</ul>
{% endif %}

{% if site.github.is_project_page %}
<p class="view"><i class="fa fa-github" aria-hidden="true"></i> <a href="{{ site.github.repository_url }}">{{ site.title | default: site.github.repository_name }} on GitHub <i class="fa fa-sign-out" aria-hidden="true"></i><small>{{ site.github.repository_nwo }}</small></a></p>

<p class="view"><i class="fa fa-bug" aria-hidden="true"></i> <a href="{{ site.github.repository_url }}/issues">{{ site.title | default: site.github.repository_name }} Issue Tracker <i class="fa fa-sign-out" aria-hidden="true"></i></a></p>
{% endif %}

<p class="view"><i class="fa fa-youtube-play" aria-hidden="true"></i> <a href="{{ site.youtube_url | default: https://youtube.com | absolute_url }}">{{ site.title | default: site.github.repository_name }} on YouTube <i class="fa fa-sign-out" aria-hidden="true"></i></a></p>

{% if site.github.is_user_page %}
<p class="view"><a href="{{ site.github.owner_url }}">View My GitHub Profile <i class="fa fa-sign-out" aria-hidden="true"></i></a></p>
{% endif %}

{% if site.github.is_project_page %}
<p class="view"><i class="fa fa-github" aria-hidden="true"></i> <a href="{{ site.github.owner_url }}">{{ site.github.owner_name }} on GitHub <i class="fa fa-sign-out" aria-hidden="true"></i></a></p>
{% endif %}
</footer>
</div>
<script src="{{ "/assets/js/scale.fix.js" | relative_url }}"></script>
</body>
</html>
102 changes: 102 additions & 0 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# <a name="Overview"></a>Overview

![Malcolm Network Diagram](./images/malcolm_network_diagram.png)

Malcolm processes network traffic data in the form of packet capture (docs/PCAP) files or Zeek logs. A [sensor](live-analysis.md#Hedgehog) (packet capture appliance) monitors network traffic mirrored to it over a SPAN port on a network switch or router, or using a network TAP device. [Zeek](https://www.zeek.org/index.html) logs and [Arkime](https://molo.ch/) sessions are generated containing important session metadata from the traffic observed, which are then securely forwarded to a Malcolm instance. Full PCAP files are optionally stored locally on the sensor device for examination later.

Malcolm parses the network session data and enriches it with additional lookups and mappings including GeoIP mapping, hardware manufacturer lookups from [organizationally unique identifiers (docs/OUI)](http://standards-oui.ieee.org/oui/oui.txt) in MAC addresses, assigning names to [network segments](host-and-subnet-mapping.md#SegmentNaming) and [hosts](host-and-subnet-mapping.md#HostNaming) based on user-defined IP address and MAC mappings, performing [TLS fingerprinting](https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967), and many others.

The enriched data is stored in an [OpenSearch](https://opensearch.org/) document store in a format suitable for analysis through two intuitive interfaces: OpenSearch Dashboards, a flexible data visualization plugin with dozens of prebuilt dashboards providing an at-a-glance overview of network protocols; and Arkime, a powerful tool for finding and identifying the network sessions comprising suspected security incidents. These tools can be accessed through a web browser from analyst workstations or for display in a security operations center (SOC). Logs can also optionally be forwarded on to another instance of Malcolm.

![Malcolm Data Pipeline](./images/malcolm_data_pipeline.png)

For smaller networks, use at home by network security enthusiasts, or in the field for incident response engagements, Malcolm can also easily be deployed locally on an ordinary consumer workstation or laptop. Malcolm can process local artifacts such as locally-generated Zeek logs, locally-captured PCAP files, and PCAP files collected offline without the use of a dedicated sensor appliance.

<a name="TableOfContents"></a>
* [Quick start](quickstart.md#QuickStart)
- [Getting Malcolm](quickstart.md#GetMalcolm)
- [User interface](quickstart.md#UserInterfaceURLs)
* [Components](components.md#Components)
* [Supported Protocols](protocols.md#Protocols)
* [Development](development.md#Development)
- [Building from source](development.md#Build)
- [Pre-Packaged installation files](development.md#Packager)
* [Configuration](malcolm-preparation.md#Configuration)
- [Recommended system requirements](system-requirements.md#SystemRequirements)
- [Malcolm Configuration](malcolm-config.md#ConfigAndTuning)
+ [`docker-compose.yml` parameters](malcolm-config.md#DockerComposeYml)
- [Configure authentication](authsetup.md#AuthSetup)
+ [Local account management](authsetup.md#AuthBasicAccountManagement)
+ [Lightweight Directory Access Protocol (LDAP) authentication](authsetup.md#AuthLDAP)
* [LDAP connection security](authsetup.md#AuthLDAPSecurity)
+ [TLS certificates](authsetup.md#TLSCerts)
- [Platform-specific Configuration](host-config.md#HostSystemConfig)
+ [Linux host system configuration](host-config-linux.md#HostSystemConfigLinux)
+ [macOS host system configuration](host-config-macos.md#HostSystemConfigMac)
+ [Windows host system configuration](host-config-windows.md#HostSystemConfigWindows)
* [Running Malcolm](running.md#Running)
- [OpenSearch instances](opensearch-instances.md#OpenSearchInstance)
+ [Authentication and authorization for remote OpenSearch clusters](opensearch-instances.md#OpenSearchAuth)
- [Starting Malcolm](running.md#Starting)
- [Stopping and restarting Malcolm](running.md#StopAndRestart)
- [Clearing Malcolm's data](running.md#Wipe)
- [Temporary read-only interface](running.md#ReadOnlyUI)
* [Capture file and log archive upload](upload.md#Upload)
- [Tagging](upload.md#Tagging)
- [Processing uploaded PCAPs with Zeek and Suricata](upload.md#UploadPCAPProcessors)
* [Live analysis](live-analysis.md#LiveAnalysis)
- [Using a network sensor appliance](live-analysis.md#Hedgehog)
- [Monitoring local network interfaces](live-analysis.md#LocalPCAP)
- [Manually forwarding logs from an external source](live-analysis.md#ExternalForward)
* [Arkime](arkime.md#Arkime)
- [Zeek log integration](arkime.md#ArkimeZeek)
+ [Correlating Zeek logs and Arkime sessions](arkime.md#ZeekArkimeFlowCorrelation)
- [Help](arkime.md#ArkimeHelp)
- [Sessions](arkime.md#ArkimeSessions)
+ [PCAP Export](arkime.md#ArkimePCAPExport)
- [SPIView](arkime.md#ArkimeSPIView)
- [SPIGraph](arkime.md#ArkimeSPIGraph)
- [Connections](arkime.md#ArkimeConnections)
- [Hunt](arkime.md#ArkimeHunt)
- [Statistics](arkime.md#ArkimeStats)
- [Settings](arkime.md#ArkimeSettings)
* [OpenSearch Dashboards](dashboards.md#Dashboards)
- [Discover](dashboards.md#Discover)
+ [Screenshots](dashboards.md#DiscoverGallery)
- [Visualizations and dashboards](dashboards.md#DashboardsVisualizations)
+ [Prebuilt visualizations and dashboards](dashboards.md#PrebuiltVisualizations)
* [Screenshots](dashboards.md#PrebuiltVisualizationsGallery)
+ [Building your own visualizations and dashboards](dashboards.md#BuildDashboard)
* [Screenshots](dashboards.md#NewVisualizationsGallery)
* [Search Queries in Arkime and OpenSearch](queries-cheat-sheet.md#SearchCheatSheet)
* Other Malcolm features
- [Automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction)
- [Automatic host and subnet name assignment](host-and-subnet-mapping.md#HostAndSubnetNaming)
+ [IP/MAC address to hostname mapping via `host-map.txt`](host-and-subnet-mapping.md#HostNaming)
+ [CIDR subnet to network segment name mapping via `cidr-map.txt`](host-and-subnet-mapping.md#SegmentNaming)
+ [Defining hostname and CIDR subnet names interface](host-and-subnet-mapping.md#NameMapUI)
+ [Applying mapping changes](host-and-subnet-mapping.md#ApplyMapping)
- [OpenSearch index management](index-management.md#IndexManagement)
- [Event severity scoring](severity.md#Severity)
+ [Customizing event severity scoring](severity.md#SeverityConfig)
- [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel)
+ [STIX™ and TAXII™](zeek-intel.md#ZeekIntelSTIX)
+ [MISP](zeek-intel.md#ZeekIntelMISP)
- [Anomaly Detection](anomaly-detection.md#AnomalyDetection)
- [Alerting](alerting.md#Alerting)
+ [Email Sender Accounts](alerting.md#AlertingEmail)
- ["Best Guess" Fingerprinting for ICS Protocols](ics-best-guess.md#ICSBestGuess)
- [Asset Management with NetBox](netbox.md#NetBox)
- [CyberChef](cyberchef.md#CyberChef)
- [API](api.md#API)
* [Forwarding Third-Party Logs to Malcolm](third-party-logs.md#ThirdPartyLogs)
* [Malcolm installer ISO](malcolm-iso.md#ISO)
- [Installation](malcolm-iso.md#ISOInstallation)
- [Generating the ISO](malcolm-iso.md#ISOBuild)
- [Setup](malcolm-iso.md#ISOSetup)
- [Time synchronization](time-sync.md#ConfigTime)
* [Hardening](hardening.md#Hardening)
- [Compliance Exceptions](hardening.md#ComplianceExceptions)
* [Installation example using Ubuntu 22.04 LTS](ubuntu-install-example.md#InstallationExample)
* [Upgrading Malcolm](malcolm-upgrade.md#UpgradePlan)
* [Modifying or Contributing to Malcolm](contributing-guide.md#Contributing)
37 changes: 37 additions & 0 deletions docs/alerting.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# <a name="Alerting"></a>Alerting

* [Alerting](#Alerting)
- [Email Sender Accounts](#AlertingEmail)

Malcolm uses the Alerting plugins for [OpenSearch](https://github.com/opensearch-project/alerting) and [OpenSearch Dashboards](https://github.com/opensearch-project/alerting-dashboards-plugin). See [Alerting](https://opensearch.org/docs/latest/monitoring-plugins/alerting/index/) in the OpenSearch documentation for usage instructions.

A fresh installation of Malcolm configures an example [custom webhook destination](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#create-destinations) named **Malcolm API Loopback Webhook** that directs the triggered alerts back into the [Malcolm API](api.md#API) to be reindexed as a session record with `event.dataset` set to `alerting`. The corresponding monitor **Malcolm API Loopback Monitor** is disabled by default, as you'll likely want to configure the trigger conditions to suit your needs. These examples are provided to illustrate how triggers and monitors can interact with a custom webhook to process alerts.

## <a name="AlertingEmail"></a>Email Sender Accounts

When using an email account to send alerts, you must [authenticate each sender account](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#authenticate-sender-account) before you can send an email. The [`auth_setup`](authsetup.md#AuthSetup) script can be used to securely store the email account credentials:

```
./scripts/auth_setup
Store administrator username/password for local Malcolm access? (Y/n): n
(Re)generate self-signed certificates for HTTPS access (Y/n): n
(Re)generate self-signed certificates for a remote log forwarder (Y/n): n
Store username/password for primary remote OpenSearch instance? (y/N): n
Store username/password for secondary remote OpenSearch instance? (y/N): n
Store username/password for email alert sender account? (y/N): y
Email account username: [email protected]
[email protected] password:
[email protected] password (again):
Email alert sender account variables stored: opensearch.alerting.destination.email.destination_alpha.password, opensearch.alerting.destination.email.destination_alpha.username
(Re)generate internal passwords for NetBox (Y/n): n
```

This action should only be performed while Malcolm is [stopped](running.md#StopAndRestart): otherwise the credentials will not be stored correctly.
12 changes: 12 additions & 0 deletions docs/anomaly-detection.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# <a name="AnomalyDetection"></a>Anomaly Detection

Malcolm uses the Anomaly Detection plugins for [OpenSearch](https://github.com/opensearch-project/anomaly-detection) and [OpenSearch Dashboards](https://github.com/opensearch-project/anomaly-detection-dashboards-plugin) to identify anomalous log data in near real-time using the [Random Cut Forest](https://api.semanticscholar.org/CorpusID:927435) (RCF) algorithm. This can be paired with [Alerting](alerting.md#Alerting) to automatically notify when anomalies are found. See [Anomaly detection](https://opensearch.org/docs/latest/monitoring-plugins/ad/index/) in the OpenSearch documentation for usage instructions on how to create detectors for any of the many fields Malcolm supports.

A fresh installation of Malcolm configures [several detectors](dashboards/anomaly_detectors) for detecting anomalous network traffic:

* **network_protocol** - Detects anomalies based on application protocol (`network.protocol`)
* **action_result_user** - Detects anomalies in action (`event.action`), result (`event.result`) and user (`related.user`) within application protocols (`network.protocol`)
* **file_mime_type** - Detects anomalies based on transferred file type (`file.mime_type`)
* **total_bytes** - Detects anomalies based on traffic size (sum of `network.bytes`)

These detectors are disabled by default, but may be enabled for anomaly detection over streaming or [historical data](https://aws.amazon.com/about-aws/whats-new/2022/01/amazon-opensearch-service-elasticsearch-anomaly-detection/).
Loading

0 comments on commit 568da6c

Please sign in to comment.