security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,994 Commits 1 Branch 57 Tags
01dc930c173e329c191245b76f05de5fa4b5da21
Commit Graph

24 Commits

Author SHA1 Message Date
Thomas Patzke ad647a6ecb Merge pull request #2240 from Entropy0/bugfix/condition-type-inheritance 
fix condition token inheritance
 2021-11-15 23:43:53 +01:00
Thomas Patzke cdaefbff69 Merge pull request #2265 from SigmaHQ/fix-ids 
Additional characters in identifier token
 2021-11-15 23:26:28 +01:00
Thomas Patzke aa47b88326 Merge pull request #2264 from roysjosh/fix-agg-ge-le 
Fix aggregation GE/LE
 2021-11-15 22:51:14 +01:00
Thomas Patzke 068255fc82 Additional characters in identifier token 2021-11-15 22:46:22 +01:00
Joshua Roys 87f919d0bc Fix aggregation GE/LE 
List longest matches first otherwise they will never match.
 2021-11-15 15:57:46 -05:00
Entropy0 c7259b6196 fix condition token inheritance 
Without this fix, isinstance(ConditionOR(), ConditionAND) yields True
 2021-11-09 13:19:53 +01:00
Markku Parviainen 900263315a Added support for free-text search in logsources configuration, enabling usage of splunk macros and ability to optimize the resulting searches. 2021-06-16 14:52:45 +03:00
vh 7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
alan tseng e9af2fb119 support nested conditions for Sigma 
The parser finds the close token in pairs with left token.
So the parser will support nested parentheses in the conditions.
 2020-08-07 14:58:32 +08:00
Anastasios Zouzias 324005a126 [feature] extend es-dsl to support nested aggregations 2019-11-12 11:46:43 +01:00
Thomas Patzke c9eb921f68 ConditionAND/OR constructor now allows arbeitrary number of operands 2019-11-02 22:54:35 +01:00
Thomas Patzke 849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00
Thomas Patzke 134bfebe57 Ignore "timeframe" detection keyword in "all/any of" conditions 
Fixes #395
 2019-07-13 00:35:35 +02:00
Thomas Patzke a9cf14438c Merge branch 'master' into project-1 2019-01-14 22:36:15 +01:00
Thomas Patzke aa1a953a65 Moved node dumping code to generic location 2018-11-21 23:22:38 +01:00
Thomas Patzke 5053cc4e95 Fixed optimizing of not conditions with subexpressions 
Optimization pass traversal is cut at ConditionNOT nodes.
 2018-11-07 13:54:45 +01:00
Thomas Patzke a88b1e81ec Optimizer debugging code cleanup 
* Removed commented debugging code
* Output to stdin
* Coverage exception for _dumpNode
 2018-11-07 13:49:08 +01:00
Thomas Patzke 42ed8acec9 Improved test coverage 
* Adding tests
* Removal of coverage measurement for debugging code
 2018-11-04 23:28:40 +01:00
Daniel Roethlisberger fc45df144c Improve the comments on the optimizer 2018-10-03 13:44:03 +02:00
Daniel Roethlisberger 87aa1b5521 Move optimizer to sigma.parser.condition to enable it for all backends 2018-10-03 00:24:31 +02:00
Thomas Patzke d81946df39 Stacked configurations 
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration

Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
 2018-09-12 23:40:22 +02:00
Thomas Patzke 1c4c67053c Fixes for parser split 
* Fixed imports
* Rename
 2018-07-27 00:02:07 +02:00
Thomas Patzke 595327ace4 Split parser - code removal from condition 2018-07-26 23:40:22 +02:00
Thomas Patzke 1abb13c5d9 Split parser - Copy condition 2018-07-24 00:13:37 +02:00