The eXtraction and Processing (XP) language is used to create detection rules based on the analysis of events from endpoints, similar to Sigma rules. In the XP language, you can develop rules for normalization, event aggregation, correlation and enrichment.
You can quickly start here.
This extension was developed by Dmitry Fedosov and contributors, it allows you to develop and test rules in VSCode and VSCodium, and publish them in the format required for your product.
Guide to working with the extension (partially outdated, updating process in progress): https://vscode-xp.readthedocs.io/
Expansion options:
- View and edit normalization, aggregation, correlation, enrichment and table list rules.
- Creation of correlation, enrichment and normalization rules from templates.
- View, edit, create integration and unit tests for correlation, enrichment and normalization rules.
- Run integration and unit tests for correlation, enrichment and normalization rules.
- Automatic addition of keywords, functions, typical XP language constructs and taxonomy fields.
- Static validation of source code for common errors.
- Filling in rules metadata.
- Creating and editing localization rules.
- Collection of rule graphs, schemas and database table lists.
- Checking the response of the entire correlation graph to unprocessed events.
- Unpacking and packaging of examination packages into KB format files.
Note: For some of these operations, the extension uses additional utilities that are available in separate repository.
You can easily get a ready-made development environment for XP if you use the VSCode XP Workspace project. Everything in it is collected in a single Docker container, and editing occurs through the web version of VSCode. Details in the project repository.
To write correlation rules, in general, you will need event normalization formulas. In our open expertise repository you can find basic normalization formulas. In the future there will be other types of rules in the XP language created by the community.
The extension is being developed by the Security Experts Community. You can take part in the project and contribute your expertise to it. The current list of project issues is published in the issue list. The list of tasks can be found in a convenient form in the repository project.
To compile the extension:
git clone https://github.com/Security-Experts-Community/vscode-xp
- In the project root, run the
npm installcommand.
Main on GitHub: https://github.com/Security-Experts-Community/vscode-xp
Mirror on Codeberg: https://codeberg.org/Security-Experts-Community/vscode-xp
Mirror on GitFlic: https://gitflic.ru/project/security-experts-community/vscode-xp
To carry out development, you need to assemble a client, server, ui toolkit for old views and new views with embedded react, use the command npm run compile: all.
When adding new react applications, you need to update the contents of the react:build:all script with the assembly of such react applications.
Before building the extension installation package (*.vsix file), you need to run the command npm install -g vsce in the root of the project.
To build the extension installation package, run the command vsce package -o vscode-xp.vsix or run the publish.py script in the project root.
Irrelevant, since new views are developed with React embedded. Delete this item when we rewrite all views in React.
-
In the webview provider add
const webviewUri = this.getUri(this._view.webview, this._config.getExtensionUri(), ["client", "out", "ui.js"]); -
We pass the webviewUri into plain:
"WebviewUri": webviewUri -
In the webview, add
<script type="module" src="{{WebviewUri}}"></script>to the scripts section -
Add any component from toolkit documentation to webview
This is very rare, but it happens. We write npm run package and npm run compile one by one