docs: Documentation for version 1.8.0 (#139)

* add driver events section

* documentation changes for version 1.8.0

* address typos

Author: rabbitstack

configs/fibratus.yml

@@ -301,7 +301,7 @@ output:
     #template-name: fibratus
 
     # Represents the target index for kernel events. It allows time specifiers to create indices per time frame.
-    # For example, fibratus-%Y-%m generates the index name with current year and and month time specifiers
+    # For example, fibratus-%Y-%m generates the index name with current year and month time specifiers
     #index-name: fibratus
 
     # Contains the full JSON body of the index template. For more information refer to

docs/_coverpage.md

@@ -4,7 +4,7 @@
   <img src='logo.png'></img>
 </div>
 
-# fibratus <small>1.6.0</small>
+# fibratus <small>1.8.0</small>
 
 > A modern tool for Windows kernel exploration and observability with a focus on security
 

docs/_sidebar.md

@@ -13,6 +13,7 @@
   * [Registry](kevents/registry.md)
   * [Network](kevents/network.md)
   * [Handle](kevents/handle.md)
+  * [Driver](kevents/driver.md)
 * <ion-icon name="filter-outline"></ion-icon> Filters and Rules
   * [Needle In The Haystack](filters/introduction.md)
   * [Prefiltering](filters/prefiltering.md)

docs/filters/fields.md

@@ -78,6 +78,7 @@ The following tables summarize available field names that can be used in filter
 | ps.sibling.pid     | Sibling process identifier  | `ps.sibling.id = 6050`   |
 | ps.sibling.comm    | Sibling process command line  | `ps.sibling.name contains '/k /v'`   |
 | ps.sibling.exe     | Sibling process executable full path  | `ps.sibling.exe = 'C:\\Windows\\system32\\cmd.exe'`   |
+| ps.sibling.args    | Sibling process command line arguments  | `ps.sibling.args in ('C:\\Windows\\system32\\cmd.exe')`   |
 | ps.sibling.sid     | Sibling process security identifier  | `ps.sibling.sid contains 'SYSTEM'`   |
 | ps.sibling.sessionid   | Sibling process session identifier  | `ps.sibling.sessionid = 1`   |
 | ps.sibling.domain    | Sibling process domain name  | `ps.sibling.domain = 'NT AUTHORITY'`   |

docs/filters/functions.md

@@ -288,3 +288,24 @@ Additionally, some functions may return a collection of values. Function names a
     ```
     fibratus run regex(ps.name, 'power.*(shell|hell).dll', '.*hell.exe')
     ```
+
+### Miscellaneous functions
+
+#### is_minidump
+
+`is_minidump` checks the signature of the provided file and returns `true` if the signature matches the `minidump` file.
+
+- **Specification**
+    ```
+    is_mindump(path: <string>) :: <bool>
+    ```
+    - `string`: The file path for which the minidump signature is checked
+    - `return` `true` if the file contains the `minidump` signature or `false` otherwise
+
+- **Examples**
+
+    Assuming the `file.name` field contains `C:\\Temp\\lsass.dmp` which is a valid `minidump` file. The function call would return a `true` value.
+
+    ```
+    fibratus run is_minidump(file.name)
+    ```

docs/filters/images/rule-alert.png

@@ -13,10 +13,10 @@ It may look intimidating at first glance, but once you get familiar with the syn
 Filters represent the foundation of the [rule engine](/filters/rules) that provides threat detection capabilities. For example, the following stanza detects the outbound communication followed by the execution of the command shell within one-minute time window. The action invokes the [alert sender](/alerts/senders) to emit the security alert via email or Slack. 
 
 ```yaml
-- group: remote connection and command shell execution
+- group: Remote connection followed by the command shell execution
   policy: sequence
   rules:
-    - name: establish remote connection
+    - name: Establish remote connection
       condition: >
         kevt.name = 'Connect'
           and
@@ -25,7 +25,7 @@ Filters represent the foundation of the [rule engine](/filters/rules) that provi
           net.dip,
           '10.0.0.0/8',
           '172.16.0.0/12')
-    - name: spawn command shell
+    - name: Spawn command shell
       max-span: 1m
       condition: >
         kevt.name = 'CreateProcess'
@@ -34,7 +34,10 @@ Filters represent the foundation of the [rule engine](/filters/rules) that provi
           and
         ps.sibling.name in ('cmd.exe', 'powershell.exe')
   action: >
-    {{ emit "Command shell spawned after remote connection"
-      (printf "%s process spawned a command shell after connecting to %s" .Kevts.k2.PS.Exe .Kevts.k1.Kparams.dip)
+    {{ 
+        emit
+          .
+        "Command shell spawned after remote connection"
+        "%2.ps.exe process spawned a command shell after connecting to %1.net.dip"
     }}
 ```

docs/filters/introduction.md

@@ -4,14 +4,15 @@ The filter engine supports logical, arithmetic, and string operators. Operator n
 
 ## Binary operators
 
-The filtering query language supports the following  comparison binary operators:
+The filtering query language supports the following comparison binary operators:
 
 - `=` (equal)
 - `!=` (not equal)
 - `<` (less than)
 - `>` (greater than)
 - `>=` (greater or equal)
 - `<=` (less or equal)
+- `~=` (case-insensitive string comparison)
 
 ## Logical operators
 

docs/filters/operators.md

@@ -1,6 +1,6 @@
 # Prefiltering
 
-Sometimes it is useful to drop certain events either by image (process) name or event type once the event is peeked from the tracing buffer. Besides this, the kernel stream consumer can be configured to ignore events at the `ETW` session level. This can drastically reduce the load if you're not interested in particular events that are producing an immense volume of data.
+Sometimes it is useful to drop certain events either by image (process) name or event type once the event is peeked from the tracing buffer. Besides this, the kernel stream consumer can be configured to ignore events at the `ETW` session level. This can drastically reduce the impact on the system load if you're not interested in events that may produce an immense volume of data. 
 
 The above is the summary of configuration options that influence the collection of kernel events by the `Kernel Logger`. These options are placed in the `kstream` section of the configuration file.
 
@@ -10,10 +10,12 @@ The above is the summary of configuration options that influence the collection
 - `enable-fileio` enables/disables the collection of the file system events
 - `enable-image` enables/disables the collection of image loading/unloading events
 - `enable-handle` enables/disables the collection of handle events
+- `enable-audit-api` enables/disables kernel audit API calls events
+- `enable-antimalware-engine` enables/disables Antimalware Engine events, which primarily provide a source of [driver-loading](kevents/driver.md) events
 
 ### Blacklisting {docsify-ignore}
 
-If you want to permanently exclude specific kernel events or processes that produce them from the event flow, you can achieve this by defining the blacklist in the `kstream.blacklist` configuration section:
+If you want to permanently exclude specific events or processes that produce them from the event flow, you can achieve this by defining the blacklist in the `kstream.blacklist` configuration section:
 
-- `events` contains a list of kernel event names that are dropped from the event stream.
+- `events` contains a list of event names that are dropped from the event stream.
 - `images` contains a list of case-sensitive process image names including the extension. Any event originated by the image specified in this list is dropped from the event stream.