Package File Formats

Humio packages are Zip files containing assets files (e.g., dashboards and alerts) a README file, and a manifest.yaml file.

The file structures of a typical package would look something like this:

humio
mypackage.zip
├── manifest.yaml
├── README.md
├── dashboards/
│   ├── dashboard-template-1.md
│   └── dashboard-template-2.md
├── alerts/
│   ├── alert-template-1.md
│   └── alert-template-2.md
├── queries/
│   ├── query-1.csv
│   └── query-2.json
...

Below is a description of each file (or file type) as well as a link to the JSON schema defining the file format.

Getting Started

We recommend you use Humio's export package feature to get started with creating your own packages. See Creating a Package. Fill out the form and examine the content of the zip file. It can be a good idea to check your package into source control and maintain it from there, rather than maintain everything in Humio and export every time

Understanding Package Scopes

As part of the export process you will be asked to input "scope". In Humio's package system, a scope is essentially a namespace that allows multiple parties to create a package with the same name while avoiding naming collisions. If for instance you create a packages called accesslog-parsers it would be namespaced under your registry scope (essentially username), allowing for packages to be named:

humio
tomcat/accesslog-parsers
nginx/accesslog-parsers
dilbert/accesslog-parsers

File Formats

The rest of this page describes the respective files that are part of a package. Most files are written in YAML and are best described by example. We also provide a JSON schema for each file (Json Scheme works YAML as well), you can find the Schemas further down this page.

manifest.yaml

The manifest.yaml contains meta information about the package itself, such as author, license, description, and other meta tags. If you are familiar with NodeJS, this file can be compared to the package.json in the NPM package system, some of this data is exposed to users when browsing the Marketplace.

  • Author - author

    It is suggested that you enter the Author as your company name, although you can use your individual name. It is preferred to NOT include email addresses here. The schema supports email and contributors but these should not be used as do not get shown in the product UI. Example: Acme

  • Minimum Humio Version - minHumioVersion

    This is the minimum Humio version required for the package to work. Example: 1.30.1

  • Licence

    For inclusion in the marketplace Humio requires the package to be usable under Apache 2.0 license. This is the default choice when creating a package using the Humio UI so does not need to be added to the manifest file.

    Note

    Any package submitted to the Marketplace without a license, or with a license that is not Apache 2.0 will require amending to include Apache 2.0 license prior to review

Example:

humio
$schema: https://schemas.humio.com/manifest/v2.0.0

name: nginx/nginx # <scope>/<name>

description: |
    This is a brief description of the package. One or two lines.

author:
  name: Thomas Anagrius
  email: thomas@humio.com

logoUrl: 

contributors:
  - Peter Johnson <john@example.com>
  - John Doe <john@example.com>

The logoUrl should be a base64 encoded version of the logo for the package (usually technology logo).

README.md

Each package must provide a README.md file in the root directory. You can write it in markdown format and as a minimum it should contain information about what the package does and how you are expected to use it.

README.md - Title

(this should be the name of the package but may include a couple of extra words if it help provide a meaningful title, must be less than 40 characters)

Underneath the title there should be a description of what it does and why. Focus on what log sources does it apply to, what data does it use and what does it show from that data. Make it really clear as to what the purpose of the package is.You can include links to external websites as long as they are directly relevant and help explain the package or add context. You can include links to Humio's documentation library to explain concepts and provide technical details or helpful tips.

README.md - Package Contents

List which of below are included. (you can include a description of each component if you wish but limited to 100 characters each. All packages need to include the required parsers. This may change in the future but for now a working parser must be included (it can be subject to dependencies as listed in the dependencies section below).

  • Parser

  • Queries

  • Alerts

  • Dashboards

README.md - Use Case

Use Case: (list all that apply from the selection of DevOps, SecOps, ITOps, IoT/OT)

  • DevOps - used by devops teams to provide observability of applications and the platforms the code runs on, including containerised and micro-services type environments.

  • SecOps - useful for security operations teams, typically to provide security monitoring and SIEM like functionality.

  • ITOps - used by IT operations teams to monitor IT systems and to provide investigations and root cause analysis

  • IoT/OT - used to provide security and/or operational management of Internet of Things devices or Operational Technology such as Scada and industrial process control and monitoring.

Technology Vendor: (list of vendors supported by package) e.g. AWS (Amazon Web Services) or Cisco.

  • Support: describe the level of support offered for this package. The default would be:

  • If you have any issues implementing or running this package, please go to support.humio.com for assistance.

  • If the package creator is not CrowdStrike/Humio then describe what support is offered by the package creator.

Dependencies:

  • List/describe dependencies for your package to work. These will typically include versions or configurations of the log sources and often the log collection method and formatting of logs. You can include a sample line of log data to illustrate the required format.

Installation:

Instructions on how to ingest the data and how to install and use the package. Must include any required configuration in external systems such as log sources as well as explaining any optional configurations or choices that need to be made. These should be summary instructions with a link to the Humio documentation library and the specific integration step by step instructions.

If your package is a collection of template files for a specific technology, a short description is usually enough.

README Files for Apps

If your package is an application, it should also explain:

  • Any additional pre- or post-installation steps users need to take.

  • A general introduction about how to get started, e.g. including configuration files.

README File Restrictions

The README cannot currently contain images or HTML tags. We plan on easing this restriction to allow images that have been vetted by Humio and hosted on servers hosted by Humio.

README.md Examples
ini files
## Corelight Threat Hunting Guide
This package contains alerts and saved searches that use Zeek (fka Bro) data from Corelight network sensors. The package contains around 60 different alerts/searches that are useful when threat hunting within Corelight data to detect potentially suspicious activity. This package is intended to accompany the [Corelight Threat Hunting Guide](https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs).
 
The guide provides an excellent introduction to threat hunting with Corelight data and is aligned to the Mitre ATT&CK framework (v6). Corelight provides a rich source of logs for threat hunters and is capable of detecting a large range of attacker tactics and techniques. The name of each alert/search includes the relevant Mitre ATT&CK tactic and techniques (as names and references codes). When threat hunters are reading the Corelight guide they can search the Humio package based on tactic and technique names or numbers to find the relevant Humio searches/alerts and simply click to run those searches.
 
The Corelight Threat Hunting Guide explains what to look for, this package shows you how.
For more information on how Corelight can provide valuable data for your security operations please visit www.corelight.com
 
## Package Contents
- Parser for Corelight JSON data
- Saved Searches
- Alerts (with no action defined)
 
## Use Case
- SecOps
 
## Technology Vendor
Corelight
 
## Support
Supported by Humio and Corelight. https://support.humio.com/ and support@corelight.com
 
## Dependencies
> ℹ️ The parser included assumes data is sent from Corelight in JSON format.
 
The package uses logs from the following log files from Corelight (all suffixed with .log): `conn`, `dce_rpc`, `dnp3`, `dns`, `files`, `http`, `kerberos`, `modes`, `notice`, `rdp`, `smb_files`, `smb_mapping`, `smtp`, `ssh`, `ssl`, `weird`. Please make sure all these log types are sent to Humio as otherwise some of the searches/alerts may not work.
 
## Installation
The preferred option for sending logs from Corelight to Humio is to choose 'Export to Splunk HEC' (available under the Sensor-> Export menu in the Corelight management interface). For 'HEC URI', enter your Humio service URL appended with `/api/v1/ingest/hec` (e.g. `https://cloud.humio.com/api/v1/ingest/hec`) For further information on using the Humio HEC see [the documentation](https://docs.humio.com/docs/ingesting-data/data-shippers/hec/).
Installing the package will automatically deploy the `corelight-json` parser, saved searches, and alerts directly into the repository you install the package into.
You will need to link the parser to an ingest token within Humio.
 
If you have already installed the `corelight-json` parser as part of the `corelight/sensor` package then you can use this existing parser as it is identical to the `corelight-json` parser in this package.

Note

Note that the README provides details ensuring that a user knows at least how their ingested data should arrive to ensure it is compatible with the parsers in the package. It is highly desirable that the README provides details on the exact procedures for data collection (i.e. a howto on getting the specific data source(s) into Humio).

Asset Files (Alerts, Dashboards, etc)

The best way to get started with asset files is to export assert you have authored in Humio and tweak them in a text editor.

Each file contains a $schema field which references the JSON schema that it is validated against.

Schemas

All schemas are hosted at: https://schemas.humio.com/

Tip

Many editors have support for Json Schemas and will give you suggestions and and validate the files on the fly. One such editor is Visual Studio Code.

Lookup Files

Packages can also contain lookup files. These are either CSV or JSON files, which Humio can use to look up data in while searching. These files do not have any schemas, and are stored in the data folder. Additionally some file has been added in the data folder of a package, it can be referred to from queries by typing packageScope/packageName/nameOfFile.csv, as opposed to just nameOfFile.csv that you would normally look up such a file with.