VS Code Extensions for Detection Engineering
Simon
Introduction
In this blog post, we'll explore useful Visual Studio Code extensions for detection engineering. These extensions can help you write and validate rules, navigate complex data structures, and even interrogate databases. Let's dive in!
Sigma
I like the concept of Sigma but apart from a stint at claiming bounties on SOC Prime's Threat Detection Marketplace, I don't typically write Sigma rules for production anymore and prefer to write native KQL, SPL and Lucene. Although, I do use the yaml schema at times for documenting detections. Nevertheless, Sigma has a great community and have released a feature rich VSCode extension to help authoring rules.
- Sigma by humpalum.
Yara
Yara for Visual Studio Code
Yara for Visual Studio Code is a must have for writing Yara rules. It does everything you'd expect for an extension that provides language support, even includes a few Snippets but the stand out feature for me is Display Hex Strings as ASCII, where if you hover over a hex string it will convert it to ASCII and transpose the result for you.
- Yara for Visual Studio Code by infosec-intern.
YARA Language Server
Another awesome extension for Yara and the one I use the most often for Yara rules. The installation requires yls and is also compatible the yari debugger.
- Yara Language Server by Avast ThreatLabs YARA
STIX
STIX by Matthew Green is a fantastic extension that I use a-lot, especially when validating 3rd party STIX bundles. STIX bundles can be difficult to navigate and I don't always want to load a bundle into STIX Visualizer to understand SDO and SCO relationships and this extension provides an easy to use tree view and schema validator.
Splunk Extension
The Splunk Extension for Visual Studio Code provides a rich editing experience for Splunk Search Processing Language (SPL). It includes features like syntax highlighting, auto-completion, and snippets, making it easier to write and debug SPL queries.
And if I didn't already use msticpy for Jupyter Notebooks, I'm sure I'd be making use of the Splunk Notebooks functionality of this extension.
VSCode Attack
VSCode Attack is an extension that provides a rich interface for navigating and understanding the MITRE ATT&CK framework. It allows you to explore tactics, techniques, and procedures (TTPs) and provides detailed information about each one. The TTP enrichment and expansion is awesome for writing ATT&CK framework content.
Kusto Query Language
I have my own pipeline and git workflow for Kusto but if you don't then I recommend using the tools released by Falcon Force. It includes CI Pipelines, KQL query analyzer, json-schema definitions for Microsoft Sentinel and Microsoft Defender. Definitely check out the blog.
OSQuery
SQLite Viewer isn't going to help you write OSQuery queries but it's useful when you need to interrogate a sqlite database when writing an OSQuery configuration for Automatic Table Construction.
Subscribe to my newsletter
Read articles from Simon directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by