fff12a3461
adding antivirus filter for vendor_type.. was matching against our fim data
2021-11-23 18:14:51 +00:00
ad75a9a5bf
updating hawk backend to provide additional tag enrichment. helps manage the state of each sigma rule, if experimental or not
2021-11-23 16:57:43 +00:00
4425f9cbcd
Update sigma2attack.py
2021-11-20 19:59:57 +01:00
17296b4f5c
Fix score error
2021-11-20 11:13:18 +01:00
1186982172
Add missing info
2021-11-20 10:10:17 +01:00
64d7386b9d
Update and fix sigma2attack
2021-11-20 09:55:51 +01:00
bc334ab456
Hawk backend support for wildcard in middle of string ( #2273 )
...
* updating yaml cfg for ms eventlog support
* update config and sigma backend, so that comments are not replaced, but rather the details of the record
* updating scriptblocktext to value
* adding a few missing ip address translations
* Fixing error when handling comparisons of null values, and additional fix of lack of support for not
* adding additional translations for missing category entries
* fixing error when handling list of ors with a not indicator
* finishes support for windows translations, pending qa
* adding dedupe feature and additional translation fix for dns-server
* adding image_loaded translation
* forced to pull back on the aggressive deduping, caused some inaccuracies
* adding more ux friendly formatting for regex
* adds support for wildcards in middle of strings
* adding a missing null check for supporting null matching
* adding cisco, av, and django cfg in yaml. updated apache in yaml and added another translation for ip_dport
2021-11-18 06:29:41 +01:00
c09b1861ec
Merge branch 'SigmaHQ:master' into feature/uberagent-compat-6.2
2021-11-17 16:30:05 +01:00
ad647a6ecb
Merge pull request #2240 from Entropy0/bugfix/condition-type-inheritance
...
fix condition token inheritance
2021-11-15 23:43:53 +01:00
cdaefbff69
Merge pull request #2265 from SigmaHQ/fix-ids
...
Additional characters in identifier token
2021-11-15 23:26:28 +01:00
aa47b88326
Merge pull request #2264 from roysjosh/fix-agg-ge-le
...
Fix aggregation GE/LE
2021-11-15 22:51:14 +01:00
068255fc82
Additional characters in identifier token
2021-11-15 22:46:22 +01:00
87f919d0bc
Fix aggregation GE/LE
...
List longest matches first otherwise they will never match.
2021-11-15 15:57:46 -05:00
a8d00385c3
Fix double quotes escaping and values with commas in SQLite/SQL backends
2021-11-11 20:55:01 +01:00
8b419b8f07
Merge pull request #2247 from frack113/fix_field
...
Fix rule field name
2021-11-11 08:51:52 +01:00
a9b49679d3
Updates to hawk sigmac backend ( #2244 )
...
Updated HAWK sigma backend
2021-11-11 08:01:53 +01:00
510da0085e
Update sysmon.py ( #2234 )
...
Update sysmon.py and merge from master
2021-11-10 20:43:13 +01:00
b7b1ebf772
Fix LogonId - SubjectLogonId
2021-11-10 19:12:51 +01:00
ee4082b50d
Merge pull request #2242 from frack113/fix_ProcessCommandLine
...
Fix process command line
2021-11-10 08:09:06 +01:00
a089a83794
Merge pull request #2238 from frack113/fix_logsource
...
Fix logsource
2021-11-10 08:08:40 +01:00
ca17949d85
Merge pull request #2237 from frack113/m365
...
standardization m365
2021-11-10 08:08:10 +01:00
c5fa73c328
fix ProcessCommandLine to ParentCommandLine
2021-11-09 16:13:29 +01:00
c7259b6196
fix condition token inheritance
...
Without this fix, isinstance(ConditionOR(), ConditionAND) yields True
2021-11-09 13:19:53 +01:00
e1ecd379fa
Update elk-winlogbeat.yml
...
Adding "RelativeTargetName" since it's used by `win_lm_namedpipe.yml`
2021-11-09 13:38:31 +02:00
6c19303aa4
normalize logsource
2021-11-09 10:48:13 +01:00
3430943746
standardization
2021-11-09 07:27:25 +01:00
075419da38
Initial commit of pending changes providing uberAgent 6.2 compatibilitz.
2021-11-09 03:38:12 +01:00
7f087797d6
Merge pull request #2175 from frack113/elastic_is_bad_in_regex
...
manage start end regex for Elastic
2021-11-05 12:27:18 +01:00
23ed626287
Change location value=str(value)
2021-11-01 16:05:34 +01:00
9d0123e782
Fix errors introduced at commit 58d9e41
2021-11-01 12:40:41 +01:00
fb750721b2
Merge pull request #2212 from frack113/new_status
...
New status from discussions
2021-10-31 20:38:28 +01:00
f4b1dcfc72
cleanup code
2021-10-28 20:56:19 +02:00
c49b0d49fa
Add deprecated status
2021-10-28 20:08:27 +02:00
e9d163cdd1
add filter not status
2021-10-28 19:46:36 +02:00
1015d3fe68
Update winlogbeat-modules-enabled.yml
...
- Fixed typos in FileVersion, Description, Product, and Company fields for image_load category.
- Added separate OriginalFileName fields for process_creation, image_load categories.
2021-10-28 16:05:40 +01:00
781598351d
Add SourceUser and TargetUser
2021-10-27 17:13:34 +02:00
ce5e4c45f1
Add sysmon 13.30 ParentUser
2021-10-27 12:58:10 +02:00
9b6be31c8d
commenting out exceptions output from handling
2021-10-26 18:25:23 +00:00
8f22d418f3
fixing lingering item
2021-10-26 16:28:04 +00:00
893874d3a5
removing item with space, and removing duplicate item and fixing target field, thx to frack113
2021-10-26 16:25:50 +00:00
7fc2a6f00d
missed one
2021-10-26 15:25:11 +00:00
0d65dcdc28
fixx err
2021-10-26 15:12:03 +00:00
22b64644ef
updating hawk backend to fix open ended backslash for regex
2021-10-26 15:09:47 +00:00
bacdf53236
updating hawk backend to fix or list map missing an outer and operator
2021-10-26 15:05:27 +00:00
6b5c63e485
Merge branch 'master' of https://github.com/redsand/sigma into HAWK_Backend
2021-10-25 18:39:48 +00:00
e772dbf0a9
Import Iterable from collections.abc
2021-10-22 13:56:47 -05:00
963f32063f
Merge pull request #2148 from SigmaHQ/rule-devel
...
First Linux Process Creation and Network Connection rules (Sysmon for Linux)
2021-10-21 19:10:08 +02:00
a47645a084
Modify event.provider to event.module
2021-10-21 08:34:41 +02:00
bb758bdb0f
manage start end regex
2021-10-20 21:20:04 +02:00
7500346ce7
Update winlogbeat-modules-enabled.yml
...
updating field mapping
2021-10-20 17:06:55 +03:00
Tim Shelton