docs: 1.6.0 version docs (#128)

rabbitstack · web-flow · commit 92ae744de7f0 · 2022-08-31T19:17:15.000+02:00
* preparting docs 1.6.0

* document sequence group policies

* fix wording

* fix wording
diff --git a/README.md b/README.md
@@ -27,9 +27,9 @@
 
 ### What is Fibratus?
 
-Fibratus is a tool for exploration and tracing of the **Windows** kernel. It lets you trap system-wide [events](https://www.fibratus.io/#/kevents/anatomy) such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it.
+Fibratus is a tool for exploration and tracing of the **Windows** kernel. It lets you trap system-wide [events](https://www.fibratus.io/#/kevents/anatomy) such as process life-cycle, file system I/O, registry modifications or network requests among many other observability signals. In a nutshell, Fibratus allows for gaining deep operational visibility into the Windows kernel but also processes running on top of it. It requires no drivers nor third-party software.
 
-Events can be shipped to a wide array of [output sinks](https://www.fibratus.io/#/outputs/introduction) or dumped to [capture](https://www.fibratus.io/#/captures/introduction) files for local inspection and forensics analysis. The powerful [filtering](https://www.fibratus.io/#/filters/introduction) engine permits drilling into the event flux entrails.
+Events can be shipped to a wide array of [output sinks](https://www.fibratus.io/#/outputs/introduction) or dumped to [capture](https://www.fibratus.io/#/captures/introduction) files for local inspection and forensics analysis. The powerful [filtering](https://www.fibratus.io/#/filters/introduction) engine permits drilling into the event flux entrails and the [rules engine](https://www.fibratus.io/#/filters/rules) is capable of detecting stealthy adversary attacks and sophisticated threats.
 
 You can use [filaments](https://www.fibratus.io/#/filaments/introduction) to extend Fibratus with your own arsenal of tools and so leverage the power of the Python ecosystem
 
@@ -69,7 +69,7 @@ fibratus run -f watch_files
 
 - :zap: blazing fast
 - :satellite: collects a wide spectrum of kernel events - from process to network observability signals
-- :mag: super powerful filtering engine
+- :mag: super powerful filtering and rule engine
 - :snake: running Python scriptlets on top of kernel event flow
 - :minidisc: capturing event flux to **kcap** files and replaying anywhere
 - :rocket: transporting events to Elasticsearch, RabbitMQ or console sinks
@@ -100,7 +100,7 @@ fibratus run -f watch_files
 * [**Network**](https://www.fibratus.io/#/kevents/network)
 * [**Handle**](https://www.fibratus.io/#/kevents/handle)
 
-### Filters
+### Filters and Rules
 
 * [**Needle in the haystack**](https://www.fibratus.io/#/filters/introduction)
 * [**Prefiltering**](https://www.fibratus.io/#/filters/prefiltering)
@@ -131,6 +131,8 @@ fibratus run -f watch_files
 * [**Null**](https://www.fibratus.io/#/outputs/null)
 * [**RabbitMQ**](https://www.fibratus.io/#/outputs/rabbitmq)
 * [**Elasticsearch**](https://www.fibratus.io/#/outputs/elasticsearch)
+* [**Eventlog**](https://www.fibratus.io/#/outputs/eventlog)
+* [**HTTP**](https://www.fibratus.io/#/outputs/http)
 
 
 ### Transformers
diff --git a/configs/fibratus.yml b/configs/fibratus.yml
@@ -185,7 +185,7 @@ kstream:
     events:
       - CloseFile
       - CloseHandle
-    # Contains a list of case-insensitive process image names including the extension.
+    # Contains a list of case-sensitive process image names including the extension.
     # Any event originated by the image specified in this list is dropped from the event stream
     images:
       - System
diff --git a/docs/_coverpage.md b/docs/_coverpage.md
@@ -4,7 +4,7 @@
   <img src='logo.png'></img>
 </div>
 
-# fibratus <small>1.5.0</small>
+# fibratus <small>1.6.0</small>
 
 > A modern tool for the Windows kernel exploration and observability
 
@@ -19,4 +19,3 @@
 <div>
   <img src='images/fibratus-term.gif'></img>
 </div>
-
diff --git a/docs/_sidebar.md b/docs/_sidebar.md
@@ -13,7 +13,7 @@
   * [Registry](kevents/registry.md)
   * [Network](kevents/network.md)
   * [Handle](kevents/handle.md)
-* <ion-icon name="filter-outline"></ion-icon> Filters
+* <ion-icon name="filter-outline"></ion-icon> Filters and Rules
   * [Needle In The Haystack](filters/introduction.md)
   * [Prefiltering](filters/prefiltering.md)
   * [Filtering](filters/filtering.md)
diff --git a/docs/filters/fields.md b/docs/filters/fields.md
@@ -119,7 +119,8 @@ The following tables summarize available field names that can be used in filter
 | file.offset     | Read/write position in the file | `file.offset = 1024`   |
 | file.type       | File type. Possible values are `file`, `directory`, `pipe`, `console`, `mailslot`, `other`, `unknown` | `file.type = 'directory'`   |
 | file.extension  | File extension represents the file extension (e.g. .exe or .dll) | `file.extension = '.dll'`   |
-
+| file.attributes | List of file attributes | `file.attributes in ('hidden', 'temporary')`   |
+| file.status | System status message of the `CreateFile` operation | `file.status = 'success'`   |
 
 ### Registry
 | Field Name  | Description | Example     |
diff --git a/docs/filters/filtering.md b/docs/filters/filtering.md
@@ -59,6 +59,35 @@ Filter expressions can accept escape sequences, such as newline characters (`\n`
 If a syntax error is present in the filter, a hint is given indicating the erroneous position in the expression.  
 
 ```
-ps.name =          
-         ^ expected field, string, number, bool, ip
+kevt.name in ('RegCreateKey', 'RegDeleteKey', 'RegSetValue', 'RegDeleteValue')
+      and
+   registry.key.name icontains
+      (
+        'CurrentVersion\\Run',
+        'Windows\\System\\Scripts',
+        'CurrentVersion\\Windows\\Load',
+        'CurrentVersion\\Windows\\Run',
+        'CurrentVersion\\Winlogon\\Shell',
+        'CurrentVersion\\Winlogon\\System',
+        'UserInitMprLogonScript'
+      )
+      or
+   registry.key.name istartswith
+      (
+        'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify',
+        'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell',
+        'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit',
+        'HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Drivers32',
+        HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute',
+╭──────────^
+|        'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AeDebug'
+|      )
+|      or
+|   registry.key.name iendswith
+|      (
+|        'user shell folders\\startup'
+|      )
+|
+|
+╰─────────────────── expected field, string, number, bool, ip, function, pattern binding
 ```
diff --git a/docs/filters/introduction.md b/docs/filters/introduction.md
@@ -10,9 +10,31 @@ ps.name in ('cmd.exe', 'powershell.exe', 'winword.exe')
 
 It may look intimidating at first glance, but once you get familiar with the syntax and the field names you'll be able to write even the most intricate filters.
 
-Filters can be used in various places:
+Filters represent the foundation of the [rule engine](/filters/rules) that provides threat detection capabilities. For example, the following stanza detects the outbound communication followed by the execution of the command shell within one-minute time window. The action invokes the [alert sender](/alerts/senders) to emit the security alert via email or Slack. 
 
-- the `run` command
-- the `capture` command when dumping the event flow to the capture file
-- the `replay` command when recovering the event flow from the capture file
-- filaments
+```yaml
+- group: remote connection and command shell execution
+  policy: sequence
+  rules:
+    - name: establish remote connection
+      condition: >
+        kevt.name = 'Connect'
+          and
+          not
+        cidr_contains(
+          net.dip,
+          '10.0.0.0/8',
+          '172.16.0.0/12')
+    - name: spawn command shell
+      max-span: 1m
+      condition: >
+        kevt.name = 'CreateProcess'
+          and
+        ps.pid = $1.ps.pid
+          and
+        ps.sibling.name in ('cmd.exe', 'powershell.exe')
+  action: >
+    {{ emit "Command shell spawned after remote connection"
+      (printf "%s process spawned a command shell after connecting to %s" .Kevts.k2.PS.Exe .Kevts.k1.Kparams.dip)
+    }}
+```
diff --git a/docs/filters/prefiltering.md b/docs/filters/prefiltering.md
@@ -16,4 +16,4 @@ The above is the summary of configuration options that influence the collection
 If you want to permanently exclude specific kernel events or processes that produce them from the event flow, you can achieve this by defining the blacklist in the `kstream.blacklist` configuration section:
 
 - `events` contains a list of kernel event names that are dropped from the event stream.
-- `images` contains a list of case-insensitive process image names including the extension. Any event originated by the image specified in this list is dropped from the event stream.
+- `images` contains a list of case-sensitive process image names including the extension. Any event originated by the image specified in this list is dropped from the event stream.
diff --git a/docs/filters/rules.md b/docs/filters/rules.md
diff --git a/docs/kevents/file.md b/docs/kevents/file.md
diff --git a/docs/overview/what-is-fibratus.md b/docs/overview/what-is-fibratus.md
