docs: changed version

NextronSystems · Nov 11, 2021 · 05861ad · 05861ad
1 parent b20f9bc
commit 05861ad
Show file tree

Hide file tree

Showing 8 changed files with 310 additions and 31 deletions.
diff --git a/index.rst b/index.rst
@@ -13,11 +13,12 @@ Aurora Agent User Manual
 
    usage/what-is-aurora
    usage/installation
+   usage/usage
    usage/configuration
    usage/rule-management
    usage/upgrade-and-updates
    usage/responses
-   usage/troubleshooting
+   usage/debugging
 
 
 Indices and tables

diff --git a/usage/configuration.rst b/usage/configuration.rst
@@ -57,23 +57,28 @@ Output Configuration
 
 The following output options are currently available 
 
-- Log file (JSON)
+- Log file
 - Windows Eventlog
-- JSON via UDP (full version only)
+- UDP target (full version only)
 - ASGARD Analysis Cockpit (full version only)
 - Standard Output (debugging)
 
-Log File 
-~~~~~~~~
+Log File (--logfile)
+~~~~~~~~~~~~~~~~~~~~
 
 The log file contains the matching events in JSON format.
 
-Warning: the local log file doesn't get rotated.
+Note: see the flags used for log file rotation in chapter :doc:`Usage <./usage>` for details.
+
+Windows Eventlog (default, use --no-eventlog to disable)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If enabled by setting ``eventlog: true`` Aurora writes entries into the ``Application`` Eventlog with the ``Provider Name`` set to ``Aurora Agent``.
+
+UDP target (--udp-target)
+~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Windows Eventlog
-~~~~~~~~~~~~~~~~
 
-If enabled by setting ``eventlog: True`` Aurora writes entries into the ``Application`` Eventlog with the ``Provider Name`` set to ``Aurora Agent``.
 
 ASGARD Analysis Cockpit 
 ~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/usage/debugging.rst b/usage/debugging.rst
@@ -0,0 +1,49 @@
+Debugging
+=========
+
+The best way to debug Aurora is to run it directly in the command line and don't use it as service. 
+
+.. code:: bash
+
+    aurora-agent-64.exe --rules-path .\my-rules --debug
+
+The verbosity can even be increased by using the ``--trace`` flag. 
+
+Status Information
+------------------
+
+The ``--status`` can give you information from a running Aurora service.
+
+.. code:: bash 
+
+    C:\aurora>aurora-agent-64.exe --status
+    Aurora Agent
+    Version: 1.0.0
+    Sigma Revision: 0.20-1442-g80d2aee9
+    Uptime (in hours): 0
+
+    Active Outputs:
+    Eventlog: enabled
+
+    Rule Statistics:
+    Loaded rules: 723
+    Number of rule reloads: 0
+
+    Event Statistics:
+    Events observed so far: 1937458
+    Events lost so far: 0
+    Sigma matches: 23
+
+It displays the number of events that the agent was able to see and process, the number of initialized rules and rule matches. 
+
+Error Messages
+--------------
+
+Check the configured log outputs for error messages. A faulty rule would e.g. lead to error messages like this one in the ``Application`` eventlog with EventID 
+
+.. code::
+
+    Could not reload sigma rules 
+    Module: Aurora-Agent 
+    Changed_files: C:\ProgramData\Aurora-Agent\myrules\my-ransomware.yml 
+    Error: could not parse rule response in file "C:\\ProgramData\\Aurora-Agent\\myrules\\my-ransomware.yml": invalid predefined response action kil 
diff --git a/usage/installation.rst b/usage/installation.rst
@@ -7,15 +7,23 @@ You can install the agent using the following command line flag.
 
     aurora-agent.exe --install
 
-The agent will then be installed to ``C:\\Program Files\\Aurora Agent\\``.
+The agent and config files will then be installed to ``C:\\Program Files\\Aurora Agent\\``.
+The rules and other data will be installed to ``C:\\ProgramData\\Aurora Agent\\``.
 
-It will automatically install all rule files located in a sub folder named ``./rules``. We ship the agent installer package with the current open source rule set maintained in the ``Sigma repository <https://github.com/SigmaHQ/sigma>`__. 
+It will automatically copy all rule files located in a sub folder named ``./rules``. We ship the agent installer package with the current open source rule set maintained in the `Sigma repository <https://github.com/SigmaHQ/sigma>`__. 
 
-You can add the same settings as used in the configuration file as command line flags to configure the agent according to your needs. The command line flags will then be added to the configuration file. 
+If you want to add your own Sigma rules right during installation, you can do this by using the ``--rules-path`` flag.
 
 .. code::bash
 
-    aurora-agent.exe --install --eventlog True
+    aurora-agent.exe --install --rules-path .\rules --rules-path .\my-rules
+
+All the flags that you pass together with  are used for the configuration file ``agent.config``.
+
+.. code::bash
+
+    aurora-agent.exe --install --rules-path .\rules --rules-path .\my-rules
+
 
 Uninstall Aurora
 ----------------
@@ -24,4 +32,4 @@ To uninstall the agent simply run the following command:
 
 .. code::bash 
 
-    aurora-agent.exe --uninstall
+    aurora-agent.exe --uninstall
diff --git a/usage/responses.rst b/usage/responses.rst
@@ -25,10 +25,10 @@ The actions can be a list predefined actions or commands. (see examples below)
 Predefined Responses
 --------------------
 
-- Suspend (all events with 'ProcessId', recursive - suspends all children)
-- Kill (all events with 'ProcessId', recursive - kills all children)
-- KillParent (all events with 'ParentProcessId', recursive - kills all children)
-- Dump (all events with 'ProcessId', creates dump file in folder configured as ``dump-path``)
+- suspend (all events with 'ProcessId', recursive - suspends all children)
+- kill (all events with 'ProcessId', recursive - kills all children)
+- killparent (all events with 'ParentProcessId', recursive - kills all children)
+- dump (all events with 'ProcessId', creates dump file in folder configured as ``dump-path``)
 
 Examples
 ~~~~~~~~

diff --git a/usage/troubleshooting.rst b/usage/troubleshooting.rst
diff --git a/usage/usage.rst b/usage/usage.rst
@@ -0,0 +1,221 @@
+Usage
+=====
+
+This chapter explains the command line options used by Aurora in more detail. 
+
+.. code::
+
+        --agent-name string      Set a different name for the service, the binary and other identifiers (default "aurora-agent")
+    -a, --auto-reload            Automatically reload the sigma files upon detecting changes
+    -c, --config string          Process default parameters from this YAML file
+        --cpu-limit int          Percentage of a single CPU core that the Aurora Agent should use at most (default 100)
+        --debug                  Print debugging information
+        --dump-folder string     Folder where process dumps should be stored (default ".")
+        --no-eventlog            Don't log matches to the Windows event log
+        --install                Install Aurora Agent as a service
+        --json                   Write output as JSON instead of plain text
+        --license-path string    Path to the directory containing the Aurora Agent license (default "C:\\aurora")
+        --log-rotate uint        How many log rotations should be retained (default 7)
+        --log-size uint          At which size the log should be rotated (default 10MB)
+    -l, --logfile string         Log file path
+        --minimum-level Level    Report Sigma matches with rules of this level or higher (default high)
+        --report-stats           Log a message about the current agent status once per hour
+    -p, --rules-path strings     Paths containing the sigma files (default [C:\aurora\rules])
+    -s, --sigma-config strings   Paths to the sigma configurations that should be loaded (default [C:\aurora\default-log-sources.yml,C:\aurora\etw-log-sources.yml])
+        --status                 Query the status of a running Aurora Agent service
+        --trace                  Print tracing information
+        --udp-target string      UDP Address (as host:port) where the Aurora Agent should write its logs to
+        --uninstall              Uninstall the Aurora Agent service
+
+--agent-name
+------------
+
+It's possible to set a different name for the service name, the binary name on disk and other unique identifiers used by the agent.
+
+This feature provides a basic way to hide Aurora on an end system.
+
+-a, --auto-reload
+-----------------
+
+By setting the ``auto-reload`` flag, Aurora monitors the rules folders for changes and applies them every ``10`` seconds.
+
+-c, --config
+------------
+
+A config or config template can be set with the ``--config`` flag. If you use this flag combined with the ``--install`` flag, it will use all configured parameters in the file and write the new config file to the program folder.
+
+--cpu-limit
+-----------
+
+This flag allows to set a CPU usage limit from 1 to 100. Aurora uses only one CPU core and applies that limit to its activity on this single core. 
+
+WARNING: by setting a low CPU limit, it becomes more likely that events get dropped. Use the ``--status`` or ``--report-stats`` flag to monitor the number of dropped events.
+
+--debug
+-------
+
+This flag can be used for debugging purposes as it increases the verbosity level of the command line output.
+
+--dump-folder 
+-------------
+
+Use to set the folder for process memory dumps created by the predefined response action ``dump``. (see chapter :doc:`Responses <./responses>`)
+
+--no-eventlog
+-------------
+
+Disable the output to the Windows Eventlog ``Application``.
+
+--install 
+---------
+
+See the chapter :doc:`Installation <./installation>`.
+
+--json 
+------
+
+Formats the log lines as JSON. Applies to the log file and UDP outputs. 
+
+--license-path 
+--------------
+
+A path to a valid license file.
+
+Note: Event the free version named Aurora Lite requires a license file.
+
+--log-rotate
+------------
+
+The value given after this flag sets the number of rotated log files that should be kept. 
+
+The default is ``7``. 
+
+--log-size
+----------
+
+The maximum number of Megabytes before a log file gets rotated.
+
+The default is ``10``.
+
+-l, --log-file
+--------------
+
+This sets the absolute or relative path of a text log file. The flag ``--json`` can be used to instruct Aurora to format each messages in JSON.
+
+--minimum-level
+---------------
+
+This is the minimum Sigma rule level to report. If e.g. set to ``medium``, only Sigma rule matches with a level of ``medium``, ``high`` and ``critical`` get reported.
+
+--report-stats
+--------------
+
+This instructs Aurora to report the agent status once per hour to the configured output channels.
+
+-p, --rules-path
+----------------
+
+One or more paths to Sigma rules that get used by Aurora. 
+
+If you've combined this flag with ``--install`` the files get copied to ``C:\ProgramData\Aurora Agent\rules\`` and initialized from there.
+
+-s, --sigma-config
+------------------
+
+Sigma config files that select the log sources, channels and map field names. (see `Sigma config files <https://github.com/SigmaHQ/sigma/tree/master/tools/config>`_)
+
+--status
+--------
+
+This flag can be used to query information from the running service.
+
+Note: Make sure to also set ``--agent-name`` if you've set a non-standard name.
+
+.. code:: bash
+
+    C:\aurora>aurora-agent-64.exe --status
+
+    Aurora Agent
+    Version: 1.0.0
+    Sigma Revision: 0.20-1442-g80d2aee9
+    Uptime (in hours): 1
+
+    Active Outputs:
+    Eventlog: enabled
+
+    Rule Statistics:
+    Loaded rules: 723
+    Number of rule reloads: 0
+
+    Event Statistics:
+    Events observed so far: 2004511
+    Events lost so far: 0
+    Sigma matches: 4
+
+This flag can be combined with the ``--json`` flag.
+
+.. code::
+
+    {
+        "Parameters": {
+            "SigmaFolders": [
+                "C:\\ProgramData\\Aurora-Agent\\rules",
+                "C:\\ProgramData\\Aurora-Agent\\myrules"
+            ],
+            "AutoReload": false,
+            "LogFile": "",
+            "LogSources": [
+                "C:\\ProgramData\\Aurora-Agent\\default-log-sources.yml",
+                "C:\\ProgramData\\Aurora-Agent\\etw-log-sources.yml"
+            ],
+            "Debug": false,
+            "Trace": false,
+            "EventLogging": true,
+            "ReportingLevel": "high",
+            "DumpFolder": "C:\\ProgramData\\Aurora-Agent\\process-dumps",
+            "Json": false,
+            "LicensePath": "C:\\ProgramData\\Aurora-Agent\\aurora",
+            "UdpTarget": "",
+            "Silent": false,
+            "CpuLimit": 100,
+            "ReportStats": false,
+            "LogRotateCount": 0,
+            "LogSize": 10485760,
+            "AgentName": "aurora-agent"
+        },
+        "Uptime": 3828388216900,
+        "Version": "1.0.0",
+        "SigmaRevision": "0.20-1442-g80d2aee9",
+        "LoadedRules": 723,
+        "ReloadCounter": 0,
+        "EventsProcessed": 2066052,
+        "EventsLost": 0,
+        "SigmaMatches": 4
+    }
+
+--trace
+-------
+
+A flag that produces output that is more verbose than ``--debug``.
+
+--udp-target
+------------
+
+This flag defines a remote system to which the log data gets send via UDP. 
+
+.. code:: bash 
+
+    aurora-agent-64.exe --udp-target our-siem.company.net:5001
+
+.. code:: bash 
+
+    aurora-agent-64.exe --udp-target 10.0.3.101:888
+
+You can combine this flag with the ``--json`` flag to format the output in JSON. 
+
+--uninstall
+-----------
+
+Use this flag to uninstall Aurora. 
+
+Note: Make sure to also set ``--agent-name`` if you've set a non-standard name.