From 2bde3b281b7d6c158b2f7b7e078f3878ceee390f Mon Sep 17 00:00:00 2001
From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com>
Date: Sun, 23 Jun 2024 12:25:34 +0900
Subject: [PATCH] update readme

---
 README.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a577430..58e52e8 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,10 @@
-# hayabusa-encrypted-rules
+# Hayabusa Encrypted Rules
+
+This repository hosts an encrypted [rules.zip](https://github.com/Yamato-Security/hayabusa-encrypted-rules/raw/main/rules.zip) zip file that contains the `config`, `hayabusa` and `sigma` directories of config files and detection rules hosted at the [hayabusa-rules](https://github.com/Yamato-Security/hayabusa-rules) repository.
+
+* Password: `yamato-security-hayabusa`
+
+Windows Defender and probably other anti-virus software will sometimes give false positives on sigma rules because they contain keywords such as `mimikatz` inside the `.yml` files.
+In order to run Hayabusa on endpoints and avoid false positives we host the encrypted `rules.zip` file so that Hayabusa will download and use encrypted rules.
+This is mainly to be used for with the [Velociraptor artifact](https://docs.velociraptor.app/exchange/artifacts/pages/windows.eventlogs.hayabusa/) but can and should be used anytime you run Hayabusa for live response and cannot or do not want to disable the anti-virus, etc...
+By gathering the 4000+ rules together in one file, this also minimizes impact on forensics artifacts such as the USN journal.