mihari 5.4.5 → 5.4.7

data/docs/emitters/webhook.md

@@ -10,32 +10,32 @@ headers: ...
 template: ...
 ```
 
-| Name     | Type   | Required? | Default | Desc.                                                |
-| -------- | ------ | --------- | ------- | ---------------------------------------------------- |
-| url      | String | Yes       |         | URL                                                  |
-| method   | String | No        | POST    | HTTP request method (GET or POST)                    |
-| headers  | Hash   | No        |         | HTTP request headers                                 |
-| template | String | No        |         | ERB template to customize the payload in JSON format |
+## Components
 
-You can customize the payload by using **template**.
+### URL
 
-A template is an ERB template. It should generate a valid JSON.
+`url` is a webhook URL.
 
-- [https://github.com/ruby/erb](https://github.com/ruby/erb)
+### Method
 
-You can use the following variables to build the JSON.
+`method` is an HTTP method. Optional. Defaults to `POST`.
 
-| Name        | Type                    | Default | Desc.        |
-| ----------- | ----------------------- | ------- | ------------ |
-| title       | String                  |         |              |
-| description | String                  |         |              |
-| source      | String                  |         | ID of a rule |
-| tags        | Array<String>           | []      |              |
-| artifacts   | Array<Mihari::Artifact> |         |              |
+### Headers
 
-## Example
+`headers` (hash) is HTTP headers. Optional.
 
-**ThreatFox**
+### Template
+
+`template` is an [ERB](https://github.com/ruby/erb) template to customize the payload to sent. A template should generate a valid JSON.
+
+You can use the following parameters inside an ERB template.
+
+- `rule`: a rule
+- `artifacts`: a list of artifacts
+
+## Examples
+
+### ThreatFox
 
 ```yaml
 - emitter: webhook

data/docs/requirements.md

@@ -1,20 +1,13 @@
 # Requirements
 
-- Runtime:
-  - Ruby 2.7+ / 3.0+ (tested with 2.7, 3.0, 3.1 and 3.2)
-- Database:
-  - SQLite3, PostgreSQL and MySQL
-- Others:
-  - MISP
-  - TheHive
+## Runtime
 
-| Name       | Supported versions      |
-| ---------- | ----------------------- |
-| Ruby       | v2.7, v3.0, v3.1 & v3.2 |
-| PostgreSQL | v15                     |
-| SQLite     | v3                      |
-| MySQL      | v8                      |
-| MISP       | v2.4                    |
-| TheHive    | v3 & v4                 |
+Ruby 2.7+ / 3.0+ (tested with 2.7, 3.0, 3.1 and 3.2)
+
+## Database
+
+- SQLite3
+- PostgreSQL
+- MySQL
 
 You need to have a database to persistent the data. See [Database](./emitters/database.md) for details.

data/docs/rule.md

@@ -20,6 +20,10 @@ An artifact has five types:
 
 An alert can have multiple artifacts bundled by a rule.
 
+!!! note
+
+    A rule is assumed to be executed multiple times continuously. An alert generated by a rule will only have new findings at that time.
+
 Let's break down the following example:
 
 ```yaml
@@ -60,45 +64,47 @@ data_types:
 falsepositives: []
 ```
 
-## ID
+## Components
+
+### ID
 
 `id` is an unique ID of a rule. UUID v4 is recommended.
 
-## Title
+### Title
 
 `title` is a title of a rule.
 
-## Description
+### Description
 
 `description` is a short description of a rule.
 
-## Created/Updated On
+### Created/Updated On
 
 `created_on` is a date of a rule creation. Optional.
 Also a rule can have `updated_on` that is a date of a rule modification. Optional.
 
-## Tags
+### Tags
 
 `tags` is a list of tags of a rule.
 
-## Author
+### Author
 
 `author` is an author of a rule. Optional.
 
-## References
+### References
 
 `references` is a list of a references of a rule. Optional.
 
-## Related
+### Related
 
 `related` is a list of related rule IDs. Optional.
 
-## Queries
+### Queries
 
 `queries` is a list of queries/analyzers.
 See [Analyzers](./analyzers/index.md) to know details of each analyzer.
 
-## Enrichers
+### Enrichers
 
 `enrichers` is a list of enrichers.
 See [Enrichers](./enrichers/index.md) to know details of each enricher.
@@ -110,7 +116,7 @@ Defaults to:
 - `shodan`
 - `whois`
 
-## Emitters
+### Emitters
 
 `emitters` is a list of emitters.
 See [Emitters](./emitters/index.md) to know details of each emitter.
@@ -122,7 +128,7 @@ Defaults to:
 - `slack`
 - `the_hive`
 
-## Data Types
+### Data Types
 
 `data_types` is a list of data (artifact) types to allow by a rule. Types not defined in here will be automatically rejected.
 
@@ -134,11 +140,11 @@ Defaults to:
 - `mail`
 - `hash`
 
-## False positives
+### False positives
 
 `falsepositives` is a list of false positive values. A string or regexp can be used in here.
 
-## Artifact TTL
+### Artifact TTL
 
 `artifact_ttl` (alias: `artifact_lifetime`) is an integer value of artifact TTL (Time-To-Live) in seconds.