Skip to content

Latest commit

 

History

History
82 lines (48 loc) · 5.06 KB

README.en.md

File metadata and controls

82 lines (48 loc) · 5.06 KB

Documentation Status Telegram chat en

XP language support in Visual Studio Code

The eXtraction and Processing (XP) language is used to create detection rules based on the analysis of events from endpoints, similar to Sigma rules. In the XP language, you can develop rules for normalization, event aggregation, correlation and enrichment.

You can quickly start here.

This extension was developed by Dmitry Fedosov and contributors, it allows you to develop and test rules in VSCode and VSCodium, and publish them in the format required for your product.

Guide to working with the extension (partially outdated, updating process in progress): https://vscode-xp.readthedocs.io/

Main features

Expansion options:

  • View and edit normalization, aggregation, correlation, enrichment and table list rules.
  • Creation of correlation, enrichment and normalization rules from templates.
  • View, edit, create integration and unit tests for correlation, enrichment and normalization rules.
  • Run integration and unit tests for correlation, enrichment and normalization rules.
  • Automatic addition of keywords, functions, typical XP language constructs and taxonomy fields.
  • Static validation of source code for common errors.
  • Filling in rules metadata.
  • Creating and editing localization rules.
  • Collection of rule graphs, schemas and database table lists.
  • Checking the response of the entire correlation graph to unprocessed events.
  • Unpacking and packaging of examination packages into KB format files.

Note: For some of these operations, the extension uses additional utilities that are available in separate repository.

Using the VSCode XP Workspace Project

You can easily get a ready-made development environment for XP if you use the VSCode XP Workspace project. Everything in it is collected in a single Docker container, and editing occurs through the web version of VSCode. Details in the project repository.

Event normalization

To write correlation rules, in general, you will need event normalization formulas. In our open expertise repository you can find basic normalization formulas. In the future there will be other types of rules in the XP language created by the community.

For developers

The extension is being developed by the Security Experts Community. You can take part in the project and contribute your expertise to it. The current list of project issues is published in the issue list. The list of tasks can be found in a convenient form in the repository project.

Compilation

To compile the extension:

  1. Install VSCode.

  2. Install Node.js.

  3. Create a local copy of the repository:

git clone https://github.com/Security-Experts-Community/vscode-xp
  1. In the project root, run the npm install command.

Repositories

Main on GitHub: https://github.com/Security-Experts-Community/vscode-xp

Mirror on Codeberg: https://codeberg.org/Security-Experts-Community/vscode-xp

Mirror on GitFlic: https://gitflic.ru/project/security-experts-community/vscode-xp

Compiling all parts of the project

To carry out development, you need to assemble a client, server, ui toolkit for old views and new views with embedded react, use the command npm run compile.

For the webview development use the command npm run watch:webview and launch the Launch Client (Webview DEV) configuration.

Assembling the extension into an installation package

Before building the extension installation package (*.vsix file), you need to run the command npm install -g vsce in the root of the project.

To build the extension installation package, run the command vsce package -o vscode-xp.vsix or run the publish.py script in the project root.

If code changes are not updated during development

This is very rare, but it happens. We write npm run package and npm run compile one by one