experimenting with github pages

idaholab · Sep 23, 2022 · 3f20469 · 3f20469
1 parent ce521e7
commit 3f20469
Show file tree

Hide file tree

Showing 8 changed files with 31 additions and 2 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -90,8 +90,7 @@ For smaller networks, use at home by network security enthusiasts, or in the fie
     - [Asset Management with NetBox](netbox.md#NetBox)
     - [CyberChef](cyberchef.md#CyberChef)
     - [API](api.md#API)
-        + [Examples](api-examples.md#APIExamples)
-* [Ingesting Third-party Logs](third-party-logs.md#ThirdPartyLogs)
+* [Forwarding Third-Party Logs to Malcolm](third-party-logs.md#ThirdPartyLogs)
 * [Malcolm installer ISO](malcolm-iso.md#ISO)
     - [Installation](malcolm-iso.md#ISOInstallation)
     - [Generating the ISO](malcolm-iso.md#ISOBuild)

diff --git a/docs/alerting.md b/docs/alerting.md
@@ -1,5 +1,8 @@
 ### <a name="Alerting"></a>Alerting
 
+* [Alerting](#Alerting)
+    - [Email Sender Accounts](#AlertingEmail)
+
 Malcolm uses the Alerting plugins for [OpenSearch](https://github.com/opensearch-project/alerting) and [OpenSearch Dashboards](https://github.com/opensearch-project/alerting-dashboards-plugin). See [Alerting](https://opensearch.org/docs/latest/monitoring-plugins/alerting/index/) in the OpenSearch documentation for usage instructions.
 
 A fresh installation of Malcolm configures an example [custom webhook destination](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#create-destinations) named **Malcolm API Loopback Webhook** that directs the triggered alerts back into the [Malcolm API](api.md#API) to be reindexed as a session record with `event.dataset` set to `alerting`. The corresponding monitor **Malcolm API Loopback Monitor** is disabled by default, as you'll likely want to configure the trigger conditions to suit your needs. These examples are provided to illustrate how triggers and monitors can interact with a custom webhook to process alerts.

diff --git a/docs/api.md b/docs/api.md
@@ -1,3 +1,13 @@
 ### <a name="API"></a>API
 
+* [Aggregations](api-aggregations.md)
+* [Document](api-document-lookup.md)
+* [Event](api-event-logging.md)
+* [Examples](api-examples.md)
+* [Fields](api-fields.md)
+* [Indices](api-indices.md)
+* [Ping](api-ping.md)
+* [Version](api-version.md)
+* [Examples](api-examples.md)
+
 Malcolm provides a [REST API](./api/project/__init__.py) that can be used to programatically query some aspects of Malcolm's status and data. Malcolm's API is not to be confused with the [Viewer API](https://arkime.com/apiv3) provided by Arkime, although there may be some overlap in functionality.
diff --git a/docs/development.md b/docs/development.md
@@ -35,6 +35,7 @@ Checking out the [Malcolm source code](https://github.com/idaholab/Malcolm/tree/
 * `suricata-logs` - an initially empty directory for Suricata logs to be uploaded, processed, and stored
 * `zeek` - code and configuration for the `zeek` container which handles PCAP processing using Zeek
 * `zeek-logs` - an initially empty directory for Zeek logs to be uploaded, processed, and stored
+* `_includes` and `_layouts` - templates for the HTML version of the documentation
 
 and the following files of special note:
 

diff --git a/docs/host-and-subnet-mapping.md b/docs/host-and-subnet-mapping.md
@@ -1,5 +1,11 @@
 ### <a name="HostAndSubnetNaming"></a>Automatic host and subnet name assignment
 
+* [Automatic host and subnet name assignment](host-and-subnet-mapping.md#HostAndSubnetNaming)
+    - [IP/MAC address to hostname mapping via `host-map.txt`](host-and-subnet-mapping.md#HostNaming)
+    - [CIDR subnet to network segment name mapping via `cidr-map.txt`](host-and-subnet-mapping.md#SegmentNaming)
+    - [Defining hostname and CIDR subnet names interface](host-and-subnet-mapping.md#NameMapUI)
+    - [Applying mapping changes](host-and-subnet-mapping.md#ApplyMapping)
+
 #### <a name="HostNaming"></a>IP/MAC address to hostname mapping via `host-map.txt`
 
 The `host-map.txt` file in the Malcolm installation directory can be used to define names for network hosts based on IP and/or MAC addresses in Zeek logs. The default empty configuration looks like this:

diff --git a/docs/opensearch-instances.md b/docs/opensearch-instances.md
@@ -1,5 +1,8 @@
 ### <a name="OpenSearchInstance"></a>OpenSearch instances
 
+* [OpenSearch instances](#OpenSearchInstance)
+    - [Authentication and authorization for remote OpenSearch clusters](#OpenSearchAuth)
+
 Malcolm's default standalone configuration is to use a local [OpenSearch](https://opensearch.org/) instance in a Docker container to index and search network traffic metadata. OpenSearch can also run as a [cluster](https://opensearch.org/docs/latest/opensearch/cluster/) with instances distributed across multiple nodes with dedicated [roles](https://opensearch.org/docs/latest/opensearch/cluster/#nodes) like cluster manager, data node, ingest node, etc.
 
 As the permutations of OpenSearch cluster configurations are numerous, it is beyond Malcolm's scope to set up multi-node clusters. However, Malcolm can be configured to use a remote OpenSearch cluster rather than its own internal instance.

diff --git a/docs/severity.md b/docs/severity.md
@@ -1,5 +1,8 @@
 ### <a name="Severity"></a>Event severity scoring
 
+* [Event severity scoring](#Severity)
+    - [Customizing event severity scoring](#SeverityConfig)
+
 As Zeek logs are parsed and enriched prior to indexing, a severity score up to `100` (a higher score indicating a more severe event) can be assigned when one or more of the following conditions are met:
 
 * cross-segment network traffic (if [network subnets were defined](host-and-subnet-mapping.md#HostAndSubnetNaming))

diff --git a/docs/zeek-intel.md b/docs/zeek-intel.md
@@ -1,5 +1,9 @@
 ### <a name="ZeekIntel"></a>Zeek Intelligence Framework
 
+* [Zeek Intelligence Framework](#ZeekIntel)
+    - [STIX™ and TAXII™](#ZeekIntelSTIX)
+    - [MISP](#ZeekIntelMISP)
+
 To quote Zeek's [Intelligence Framework](https://docs.zeek.org/en/master/frameworks/intel.html) documentation, "The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization. Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item." Zeek [intelligence](https://docs.zeek.org/en/master/scripts/base/frameworks/intel/main.zeek.html) [indicator types](https://docs.zeek.org/en/master/scripts/base/frameworks/intel/main.zeek.html#type-Intel::Type) include IP addresses, URLs, file names, hashes, email addresses, and more.
 
 Malcolm doesn't come bundled with intelligence files from any particular feed, but they can be easily included into your local instance. On [startup](shared/bin/zeek_intel_setup.sh), Malcolm's `malcolmnetsec/zeek` docker container enumerates the subdirectories under `./zeek/intel` (which is [bind mounted](https://docs.docker.com/storage/bind-mounts/) into the container's runtime) and configures Zeek so that those intelligence files will be automatically included in its local policy. Subdirectories under `./zeek/intel` which contain their own `__load__.zeek` file will be `@load`-ed as-is, while subdirectories containing "loose" intelligence files will be [loaded](https://docs.zeek.org/en/master/frameworks/intel.html#loading-intelligence) automatically with a `redef Intel::read_files` directive.