Make release 0.77.1-rc1 (Velocidex#1271)

Author: scudette

content/artifact_references/pages/admin.client.remove.md

@@ -5,21 +5,24 @@ sitemap:
   disable: true
 tags: [Server Artifact]
 description: |
-  This artifact will remove clients that have not checked in for a
-  while.  All data for these clients will be removed.
+  Purges inactive clients based on a configurable age threshold.
 ---
 
-This artifact will remove clients that have not checked in for a
-while.  All data for these clients will be removed.
+Purges inactive clients based on a configurable age threshold.
+
+This artifact can be used to remove clients that have not checked in
+for a while. All data for these clients will be removed.
 
 The artifact enumerates all the files that are removed.
 
 
 <pre><code class="language-yaml">
 name: Admin.Client.Remove
 description: |
-  This artifact will remove clients that have not checked in for a
-  while.  All data for these clients will be removed.
+  Purges inactive clients based on a configurable age threshold.
+
+  This artifact can be used to remove clients that have not checked in
+  for a while. All data for these clients will be removed.
 
   The artifact enumerates all the files that are removed.
 

content/artifact_references/pages/admin.client.uninstall.md

@@ -5,35 +5,32 @@ sitemap:
   disable: true
 tags: [Client Artifact]
 description: |
-  Uninstall Velociraptor from the endpoint.
+  Executes uninstall commands via msiexec, dpkg, or rpm to remove the
+  client from the endpoint.
 ---
 
-Uninstall Velociraptor from the endpoint.
-
-This artifact uninstalls a Velociraptor client (or any other MSI
-package) from the endpoint.
+Executes uninstall commands via msiexec, dpkg, or rpm to remove the
+client from the endpoint.
 
 Typically the client will be hard terminated during the uninstall
-process, so on the server it would appear that the collection is not
+process, so on the server it will appear that the collection is not
 completed. This is normal.
 
-NOTE: Be careful with the DisplayNameRegex to ensure you do not
+NOTE: Be careful with the `DisplayNameRegex` to ensure you do not
 uninstall another package accidentally.
 
 
 <pre><code class="language-yaml">
 name: Admin.Client.Uninstall
 description: |
-  Uninstall Velociraptor from the endpoint.
-
-  This artifact uninstalls a Velociraptor client (or any other MSI
-  package) from the endpoint.
+  Executes uninstall commands via msiexec, dpkg, or rpm to remove the
+  client from the endpoint.
 
   Typically the client will be hard terminated during the uninstall
-  process, so on the server it would appear that the collection is not
+  process, so on the server it will appear that the collection is not
   completed. This is normal.
 
-  NOTE: Be careful with the DisplayNameRegex to ensure you do not
+  NOTE: Be careful with the `DisplayNameRegex` to ensure you do not
   uninstall another package accidentally.
 
 required_permissions:

content/artifact_references/pages/admin.client.updateclientconfig.md

@@ -5,10 +5,11 @@ sitemap:
   disable: true
 tags: [Client Artifact]
 description: |
-  Sometimes we wish to move a client from one org ID to another. This
-  requires updating the config on the client and rekeying the client.
+  Replaces client configuration and optionally rekeys the client ID.
 ---
 
+Replaces client configuration and optionally rekeys the client ID.
+
 Sometimes we wish to move a client from one org ID to another. This
 requires updating the config on the client and rekeying the client.
 
@@ -25,6 +26,8 @@ changed to a different org.
 <pre><code class="language-yaml">
 name: Admin.Client.UpdateClientConfig
 description: |
+  Replaces client configuration and optionally rekeys the client ID.
+
   Sometimes we wish to move a client from one org ID to another. This
   requires updating the config on the client and rekeying the client.
 

content/artifact_references/pages/admin.client.upgrade.debian.md

@@ -5,24 +5,27 @@ sitemap:
   disable: true
 tags: [Client Artifact]
 description: |
-  Remotely push new client updates to Debian hosts.
+  Upgrades Velociraptor clients on Debian hosts by installing a new
+  Debian package.
 ---
 
-Remotely push new client updates to Debian hosts.
+Upgrades Velociraptor clients on Debian hosts by installing a new
+Debian package.
 
-NOTE: This artifact requires that you supply a client Debian package by using the
-tools interface or by using the "debian client" command. Simply click on the tool
-in the GUI and upload a package.
+NOTE: This artifact requires that you supply a client Debian package
+by using the tools interface. Click on the tool button in the GUI
+and upload a package.
 
 
 <pre><code class="language-yaml">
 name: Admin.Client.Upgrade.Debian
 description: |
-  Remotely push new client updates to Debian hosts.
+  Upgrades Velociraptor clients on Debian hosts by installing a new
+  Debian package.
 
-  NOTE: This artifact requires that you supply a client Debian package by using the
-  tools interface or by using the "debian client" command. Simply click on the tool
-  in the GUI and upload a package.
+  NOTE: This artifact requires that you supply a client Debian package
+  by using the tools interface. Click on the tool button in the GUI
+  and upload a package.
 
 tools:
   - name: VelociraptorDebian

content/artifact_references/pages/admin.client.upgrade.redhat.md

@@ -5,24 +5,24 @@ sitemap:
   disable: true
 tags: [Client Artifact]
 description: |
-  Remotely push new client updates to Red Hat hosts.
+  Upgrades Velociraptor clients on Red Hat hosts by installing a new RPM package
 ---
 
-Remotely push new client updates to Red Hat hosts.
+Upgrades Velociraptor clients on Red Hat hosts by installing a new RPM package
 
-NOTE: This artifact requires that you supply a client Red Hat package by using the
-tools interface or by using the "rpm client" command. Simply click on the tool
-in the GUI and upload a package.
+NOTE: This artifact requires that you supply a client Red Hat
+package by using the tools interface. Click on the tool button in
+the GUI and upload a package.
 
 
 <pre><code class="language-yaml">
 name: Admin.Client.Upgrade.RedHat
 description: |
-  Remotely push new client updates to Red Hat hosts.
+  Upgrades Velociraptor clients on Red Hat hosts by installing a new RPM package
 
-  NOTE: This artifact requires that you supply a client Red Hat package by using the
-  tools interface or by using the "rpm client" command. Simply click on the tool
-  in the GUI and upload a package.
+  NOTE: This artifact requires that you supply a client Red Hat
+  package by using the tools interface. Click on the tool button in
+  the GUI and upload a package.
 
 tools:
   - name: VelociraptorRedHat

content/artifact_references/pages/admin.client.upgrade.windows.md

@@ -5,31 +5,34 @@ sitemap:
   disable: true
 tags: [Client Artifact]
 description: |
-  Remotely push new client updates.
+  Upgrades Velociraptor clients on Windows hosts by running msiexec
+  with the provided MSI.
 ---
 
-Remotely push new client updates.
+Upgrades Velociraptor clients on Windows hosts by running msiexec
+with the provided MSI.
 
-NOTE: This artifact requires that you supply a client MSI by using the
-tools interface. Simply click on the tool in the GUI and upload a
-pre-packaged MSI.
+NOTE: This artifact requires that you supply a _repacked_ client MSI
+by using the tools interface. Click on the tool button in the GUI
+and upload a repacked MSI.
 
-While typically the MSI will contain the Velociraptor windows
-client, you can install any other MSI as well by customizing this
+While typically the MSI will contain the Velociraptor Windows
+client, you can actually install any other MSI by customizing this
 artifact or uploading a different MSI file.
 
 
 <pre><code class="language-yaml">
 name: Admin.Client.Upgrade.Windows
 description: |
-  Remotely push new client updates.
+  Upgrades Velociraptor clients on Windows hosts by running msiexec
+  with the provided MSI.
 
-  NOTE: This artifact requires that you supply a client MSI by using the
-  tools interface. Simply click on the tool in the GUI and upload a
-  pre-packaged MSI.
+  NOTE: This artifact requires that you supply a _repacked_ client MSI
+  by using the tools interface. Click on the tool button in the GUI
+  and upload a repacked MSI.
 
-  While typically the MSI will contain the Velociraptor windows
-  client, you can install any other MSI as well by customizing this
+  While typically the MSI will contain the Velociraptor Windows
+  client, you can actually install any other MSI by customizing this
   artifact or uploading a different MSI file.
 
 tools:

content/artifact_references/pages/adx.flows.upload.md

@@ -5,19 +5,20 @@ sitemap:
   disable: true
 tags: [Server Event Artifact]
 description: |
-  This server side event monitoring artifact waits for new artifacts
+  This server-side event monitoring artifact waits for new artifacts
   to be collected from endpoints and automatically uploads those to an
   Azure Data Explorer (ADX) cluster.
 ---
 
-This server side event monitoring artifact waits for new artifacts
+This server-side event monitoring artifact waits for new artifacts
 to be collected from endpoints and automatically uploads those to an
 Azure Data Explorer (ADX) cluster.
 
-The artifact uploads data to a raw ingestion table with both structured
-metadata columns and a RawData column containing the full event data.
-This allows for efficient querying on structured columns while maintaining
-full flexibility for complex queries using RawData.
+The artifact uploads data to a raw ingestion table with both
+structured metadata columns and a RawData column containing the full
+event data. This allows for efficient querying on structured columns
+while maintaining full flexibility for complex queries using
+RawData.
 
 ## ADX Table Schema
 
@@ -42,33 +43,37 @@ see: https://github.com/baseVISION/IR-Velociraptor-Artefact-KQL-Mappings
 
 ## Setup Instructions
 
-1. Create an Azure Service Principal with permissions to ingest data into your ADX cluster
+1. Create an Azure Service Principal with permissions to ingest data
+   into your ADX cluster
 2. Grant the service principal appropriate permissions:
    - Database User or Database Admin role on the target database
    - Table Ingestion permissions
-3. Configure the artifact parameters or use the secrets service to store credentials
-4. Users can create KQL update policies to route/transform data into specific tables
-   based on the Artifact column or other metadata
+3. Configure the artifact parameters or use the secrets service to
+   store credentials
+4. Users can create KQL update policies to route/transform data into
+   specific tables based on the Artifact column or other metadata
 
 ## Performance Considerations
 
-- The managed ingestion client automatically switches between streaming and queued
-  ingestion based on data volume
+- The managed ingestion client automatically switches between
+  streaming and queued ingestion based on data volume
 - Use multiple threads for higher throughput
-- Adjust chunk_size and wait_time based on your data volume and latency requirements
+- Adjust chunk_size and wait_time based on your data volume and
+  latency requirements
 
 
 <pre><code class="language-yaml">
 name: ADX.Flows.Upload
 description: |
-  This server side event monitoring artifact waits for new artifacts
+  This server-side event monitoring artifact waits for new artifacts
   to be collected from endpoints and automatically uploads those to an
   Azure Data Explorer (ADX) cluster.
 
-  The artifact uploads data to a raw ingestion table with both structured
-  metadata columns and a RawData column containing the full event data.
-  This allows for efficient querying on structured columns while maintaining
-  full flexibility for complex queries using RawData.
+  The artifact uploads data to a raw ingestion table with both
+  structured metadata columns and a RawData column containing the full
+  event data. This allows for efficient querying on structured columns
+  while maintaining full flexibility for complex queries using
+  RawData.
 
   ## ADX Table Schema
 
@@ -93,20 +98,23 @@ description: |
 
   ## Setup Instructions
 
-  1. Create an Azure Service Principal with permissions to ingest data into your ADX cluster
+  1. Create an Azure Service Principal with permissions to ingest data
+     into your ADX cluster
   2. Grant the service principal appropriate permissions:
      - Database User or Database Admin role on the target database
      - Table Ingestion permissions
-  3. Configure the artifact parameters or use the secrets service to store credentials
-  4. Users can create KQL update policies to route/transform data into specific tables
-     based on the Artifact column or other metadata
+  3. Configure the artifact parameters or use the secrets service to
+     store credentials
+  4. Users can create KQL update policies to route/transform data into
+     specific tables based on the Artifact column or other metadata
 
   ## Performance Considerations
 
-  - The managed ingestion client automatically switches between streaming and queued
-    ingestion based on data volume
+  - The managed ingestion client automatically switches between
+    streaming and queued ingestion based on data volume
   - Use multiple threads for higher throughput
-  - Adjust chunk_size and wait_time based on your data volume and latency requirements
+  - Adjust chunk_size and wait_time based on your data volume and
+    latency requirements
 
 type: SERVER_EVENT
 

content/artifact_references/pages/demo.plugins.fifo.md

@@ -5,16 +5,19 @@ sitemap:
   disable: true
 tags: [Client Event Artifact]
 description: |
-  This is a demo of the fifo() plugin. The Fifo plugin collects and
-  caches rows from its inner query. Every subsequent execution of the
-  query then reads from the cache. The plugin will expire old rows
-  depending on its expiration policy - so we always see recent rows.
+  Demonstrates using the fifo() plugin to detect event sequences,
+  using failed logon attempts preceding a successful logon as a
+  concrete example.
 ---
 
-This is a demo of the fifo() plugin. The Fifo plugin collects and
-caches rows from its inner query. Every subsequent execution of the
-query then reads from the cache. The plugin will expire old rows
-depending on its expiration policy - so we always see recent rows.
+Demonstrates using the fifo() plugin to detect event sequences,
+using failed logon attempts preceding a successful logon as a
+concrete example.
+
+The Fifo plugin collects and caches rows from its inner query. Every
+subsequent execution of the query then reads from the cache. The
+plugin will expire old rows depending on its expiration policy - so
+we always see recent rows.
 
 You can use this to build queries which consider historical events
 together with current events at the same time. In this example, we
@@ -63,10 +66,14 @@ information than just times (i.e. who logged on to where etc).
 <pre><code class="language-yaml">
 name: Demo.Plugins.Fifo
 description: |
-  This is a demo of the fifo() plugin. The Fifo plugin collects and
-  caches rows from its inner query. Every subsequent execution of the
-  query then reads from the cache. The plugin will expire old rows
-  depending on its expiration policy - so we always see recent rows.
+  Demonstrates using the fifo() plugin to detect event sequences,
+  using failed logon attempts preceding a successful logon as a
+  concrete example.
+
+  The Fifo plugin collects and caches rows from its inner query. Every
+  subsequent execution of the query then reads from the cache. The
+  plugin will expire old rows depending on its expiration policy - so
+  we always see recent rows.
 
   You can use this to build queries which consider historical events
   together with current events at the same time. In this example, we