feat: chapter for custom signatures

index.rst

@@ -19,6 +19,7 @@ Aurora Agent User Manual
    usage/responses
    usage/modules
    usage/function-tests
+   usage/custom-signatures
    usage/aurora-agent-util
    usage/debugging
    usage/performance-tuning

usage/configuration.rst

@@ -101,7 +101,7 @@ will not be logged.
 Custom Signatures
 -----------------
 Sigma rules and IOCs can be passed to Aurora using the ``--rules-path`` and ``--ioc-path`` paremeters. These parameters default to the built-in rules and IOCs at 
-``signatures/sigma-rules`` and ``signatures/iocs`` respectively. 
+``signatures/sigma-rules`` and ``signatures/iocs`` and the provided paths for custom signatures at ``custom-signatures/sigma-rules`` and ``custom-signatures/iocs`` respectively. 
 
 IOCs follow the same format that THOR IOCs do; the full description can be found in the `THOR manual <https://thor-manual.nextron-systems.com/en/latest/usage/custom-signatures.html#simple-iocs>`_.
 

usage/custom-signatures.rst

@@ -0,0 +1,39 @@
+Custom Signatures
+=================
+
+Management using ASGARD
+-----------------------
+
+ASGARD Management Center allows you to create rule sets of sigma rules and apply them to groups of end systems. It also features a "difference view" that shows you rules that have changed in the remote Sigma repository and allows you to accept or deny the changes. It also provides ways to filter false positives right at the source.
+
+Signature updates and Aurora upgrades can be executed for all end points from the Management Center.
+
+.. figure:: ../images/asgard-rule-management.png
+   :target: ../images/asgard-rule-management.png
+   :alt: Asgard Rule Management
+
+The rule management is described in more detail in `this <https://asgard-manual.nextron-systems.com/en/latest/usage/administration.html#service-control>`_ section of the ASGARD Management Center manual.
+
+Manual signature management
+---------------------------
+
+Signatures can be specified when starting Aurora using the ``--rules-path`` and ``--ioc-path`` parameters. These parameters default to the built-in rules and IOCs at 
+``signatures/sigma-rules`` and ``signatures/iocs`` and the provided paths for custom signatures at ``custom-signatures/sigma-rules`` and ``custom-signatures/iocs`` respectively. 
+Aurora traverses the directories that are specified with these parameters recursively and initializes all signature files it finds.
+
+In order to add new sigma rules or IOCs, you can either:
+
+ - Add them to the corresponding subfolder in `custom-signatures`
+ - Specify the folder where they are located using ``--rules-path`` or ``--ioc-path``
+
+Signature format
+^^^^^^^^^^^^^^^^
+
+IOCs follow the same format that THOR IOCs do; the full description can be found in the `THOR manual <https://thor-manual.nextron-systems.com/en/latest/usage/custom-signatures.html#simple-iocs>`_.
+
+Sigma rules must adhere to the specification found in the `Sigma repository <https://github.com/SigmaHQ/sigma/wiki/Specification>`_.
+
+Encrypted signatures
+^^^^^^^^^^^^^^^^^^^^
+Both IOCs and sigma rules can be encrypted using the ``encrypt`` function in Aurora Agent Util. Aurora will automatically decrypt encrypted signatures at startup. 
+This functionality is only available in the full version of Aurora.

usage/upgrade-and-updates.rst

@@ -4,22 +4,14 @@ Upgrading and Updating Aurora
 Management using ASGARD
 -----------------------
 
-ASGARD Management Center allows you to create rule sets of sigma rules and apply them to groups of end systems. It also features a "difference view" that shows you rules that have changed in the remote Sigma repository and allows you to accept or deny the changes. It also provides ways to filter false positives right at the source.
-
-Signature updates and Aurora upgrades can be executed for all end points from the Management Center.
-
-.. figure:: ../images/asgard-rule-management.png
-   :target: ../images/asgard-rule-management.png
-   :alt: Asgard Rule Management
-
-The rule management is described in more detail in `this <https://asgard-manual.nextron-systems.com/en/latest/usage/administration.html#service-control>`_ section of the ASGARD Management Center manual.
-
+When using ASGARD Management Center, you can update Aurora Agent and its signatures for all end systems from the Management Center. 
+Doing so is described in more detail in `this <https://asgard-manual.nextron-systems.com/en/latest/usage/administration.html#service-control>`_ section of the ASGARD Management Center manual.
 
 Manual Upgrades and Updates
 ---------------------------
 
 Aurora Agent Upgrades
----------------------
+^^^^^^^^^^^^^^^^^^^^^
 
 Aurora can be upgraded using the Aurora Agent Util binary that is distributed as part of the Aurora Agent package.
 To upgrade Aurora to the latest version, use:
@@ -36,7 +28,7 @@ When upgrading Aurora while it is installed, make sure to:
 
 
 Signature Updates
------------------
+^^^^^^^^^^^^^^^^^
 
 When Aurora Agent is installed, it adds a scheduled task that checks daily for signature updates and automatically restarts the service. Usually, this is sufficient and no manual action is necessary.