๐ Recipes Reference
๐ Complete Field Reference
Complete reference guide for all recipe configuration fields, file actions, macros, and advanced filtering options.
Using reading_of_ssh_keys.yaml as an example:
# Reading of SSH keys detected.
- kind: reading_of_ssh_keys
name: reading_of_ssh_keys
enabled: true
version: 1.0
description: Reading of SSH keys detected
#
documentation: https://garnet.gitbook.io/jibril/detections/file-access/reading_of_ssh_keys
breed: file_access
mechanism: file_access
tactic: credential_access
technique: unsecured_credentials
importance: medium
#
file_actions:
- read
file_actions_how: any
#
times:
- kind: times_per_exe
max: 2
- kind: times_per_parent_exe
max: 4
- kind: times_per_full_ancestry
max: 4
#
arbitrary:
- how: AND
which: pertinent
items:
- what: cmd
pattern: "(containerd|sshd|ssh|scannercli|runc|update-ssh-keys|coreos-metadata|worker-[1-5])"
which: irrelevant
- what: args
pattern: "/(python|dist-packages)/"
which: irrelevant
bases:
- regex: "(authorized_keys|identity.pub|id_rsa.pub|id_rsa|ssh_config|id_dsa.pub|id_dsa|sshd_config|ssh_host_dsa_key.pub|ssh_host_dsa_key|ssh_host_rsa_key.pub|ssh_host_rsa_key|ssh_host_key.pub|ssh_host_key)$"
๐ Required Fieldsโ
kind- Unique identifier for the recipe typename- Name of the specific recipe instanceversion- Recipe version (numeric)description- Brief description
mechanism- Detection mechanism typebreed- Detection categorytactic- MITRE ATTACK tactictechnique- MITRE ATTACK techniqueimportance- Severity level (low/medium/high/critical)
Optional fields:
subtechnique- MITRE ATTACK sub-technique
๐ File Action Valuesโ
Individual Actionsโ
fasync: File asynchronous operationsflock: File locking operationsfsync: File synchronizationllseek: Low-level seek operationsmmap: Memory mapping operationsopen: File open operationsread: File read operationswrite: File write operationsrename: File rename operationstruncate: File truncation operationsunlink: File deletion operationscreate: File creation operationsclose: File close operationslink: Hard link operationsexecve: Executable file operations
Action Matchingโ
how- Specifies how actions should matchany- Any action matchesall- All actions must match
๐ง File Action Macrosโ
Macros provide convenient shortcuts for common file action patterns. Instead of listing each individual action, use these macros in your recipes.
๐ฆ anyโ
Matches all file actions - useful for comprehensive monitoring.
Includes:
- fasync
- flock
- fsync
- llseek
- mmap
- open
- read
- write
- rename
- truncate
- unlink
- create
- close
- link
- execve
๐ read_relatedโ
File reading operations including seek and memory mapping.
Includes:
- llseek
- mmap
- read
โ๏ธ modify_relatedโ
File modification operations.
Includes:
- fsync
- write
- rename
- truncate
- unlink
- create
- link
๐ access_relatedโ
General file access (reads and writes).
Includes:
- fsync
- llseek
- mmap
- open
- read
- write
- rename
- truncate
- unlink
- create
- close
- link
๐ access_no_mmap_relatedโ
File access without memory mapping operations.
Includes:
- fsync
- llseek
- open
- read
- write
- rename
- truncate
- unlink
- create
- close
- link
๐ง tamper_relatedโ
File tampering - rename, delete, and link operations.
Includes:
- rename
- truncate
- unlink
- link
Times Kind Valuesโ
| Limit Type | Scope Description |
|---|---|
| times_per_proc | Per process |
| times_per_exe | Per executable |
| times_per_parent_proc | Per parent process |
| times_per_parent_exe | Per parent executable |
| times_per_full_ancestry | Per full process tree |
| times_per_hostname | Per hostname |
| times_per_host | Global limit |
๐ท๏ธ Alchemy Classificationโ
โ๏ธ Mechanism
What core aspect does this recipe operate on?
file_accessexecutionnetwork_peers
๐งฌ Breed
What is the specific target or context?
file_accessexecutionremote_domainsremote_cidrsenv_vars
๐ฅ Importance
How severe or impactful is the matched recipe?
lowmediumhighcritical