security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,224 Commits 1 Branch 57 Tags
179bfa7d5607328ec6dbb5db1c0b44dd53df8754
Commit Graph

936 Commits

Author SHA1 Message Date
Florian Roth 6e31bc3037 Merge pull request #1485 from V1D1AN/master 
Update ecs-zeek-elastic-beats-implementation.yml
 2021-05-27 14:59:14 +02:00
Florian Roth ffeda2a2a2 Merge pull request #1492 from frack113/es_rule_uuid 
Fix errors when import es-rule ndjson to KIBANA
 2021-05-27 10:24:39 +02:00
Florian Roth f98716c672 Merge pull request #1500 from frack113/sigmac_add_time_filter 
Sigmac add new filter
 2021-05-27 10:16:19 +02:00
Florian Roth d06f2bcf14 fix: sysmon backend "startswith" 2021-05-26 15:42:16 +02:00
Florian Roth bb71860fb2 Merge pull request #1509 from vastlimits/feature/update-6.1 
Updated uberAgent backend to support version 6.1.
 2021-05-26 13:08:08 +02:00
frack113 0e688d8dd0 Add the 'logsource!=' filter 2021-05-22 09:04:30 +02:00
frack113 f213226eb4 Add the 'tag!=' filter 2021-05-22 08:57:42 +02:00
frack113 8aa3ea15d7 change to the more revealing name "inlastday" 2021-05-22 08:44:30 +02:00
frack113 8a8f003d15 add lastday filter to get only the rule update or create in the last N days 
lastday=0 is all :)
 2021-05-21 19:31:06 +02:00
frack113 b92b765f9a Fix import to kibana error 400 severity is invalid. 2021-05-20 13:14:43 +02:00
frack113 cbb81cdf86 Fix import to kibana error 400 rish_score is null. 
rish_score is a integer.
If level is invalid set to medium
 2021-05-20 12:32:19 +02:00
frack113 f0974e9cf3 Fix : **false_positives** must be a array. 
If null add "Unknown".
If it is a string convert to a simple array row
 2021-05-20 11:20:38 +02:00
frack113 76523c5dbf fix [#1486](https://github.com/SigmaHQ/sigma/issues/1486). 
rule_id is always an uuid now.
For the rule-collection with only one uuid :
- first detection get the uuid
- other detection get a new uuid

it is a palliative, because the secondary uuid are not kept between 2 launches.
best practice is to use one uuid per detection and not files.
 2021-05-20 08:42:58 +02:00
Sven Scharmentke a36bc55b06 Updated uberAgent backend to support version 6.1. 2021-05-18 12:07:09 +02:00
frack113 3b23c18f70 If not null use uuid instead of title for the rule id 2021-05-17 22:12:17 +02:00
V1D1AN 56e3a6aaf3 Update ecs-zeek-elastic-beats-implementation.yml 2021-05-16 22:53:25 +02:00
Florian Roth 691283616f Merge pull request #1477 from wagga40/master 
Resolves #1450 - Bug in es-rule backend when using "-r" argument
 2021-05-14 09:00:30 +02:00
wagga40 534898a3ce Resolves #1450 - Bug in es-rule backend when using "-r" argument 2021-05-13 21:47:22 +02:00
wagga40 972f7a562b Updated SQL/SQLite backend tests 2021-05-13 17:51:54 +02:00
wagga40 5e99379803 Change to have raw log in rule results with SQL/SQlite Backends 2021-05-13 15:01:52 +02:00
Florian Roth 33d9d6876e Merge pull request #1456 from wagga40/update-sql-backend 
Add a backend option to specify table name for SQL Backend
 2021-05-11 15:00:39 +02:00
Florian Roth b655c25f7a Merge pull request #1459 from JohnConnorRF/winlogbeat_scriptblock_logging 
Add ScriptBlockText to Winlogbeat Configs
 2021-05-11 14:59:08 +02:00
JohnConnorRF 1574d263cc Updated Winlogbeat Modules config based on: https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178 2021-05-05 10:25:36 -04:00
Florian Roth a9417b3f7b docs: better error highlighting 2021-05-05 12:59:13 +02:00
Florian Roth 0ca2d05247 revert changes to powershell backend 2021-05-05 12:26:59 +02:00
Florian Roth 55c39122e3 Merge branch 'master' into rule-devel 2021-05-05 11:56:20 +02:00
John Connor McLaughlin 3926e2388f Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html 2021-05-04 15:23:47 -04:00
Florian Roth 2f12c5c540 fix: too broad definition of *.log on linux 2021-05-03 17:04:55 +02:00
Florian Roth a9c837659b backend: powershell: escape $ symbols in strings 2021-05-03 15:30:33 +02:00
wagga40 cc13a5e3de Add a backend option to specify table name for SQL Backend 2021-05-02 14:39:41 +02:00
Maxime Lamothe-Brassard 11982abec0 Add support for macOS rules and fix case sensitivity. 2021-04-28 16:49:59 -07:00
Max Altgelt 7c8cca744f chore: Revert log file changes for THOR sigma configuration 
Revert recent changes for Windows / Linux .log files for THOR
because of massive performance impacts.
 2021-04-28 17:48:17 +02:00
Max Altgelt de2cedf213 fix: Distinguish Windows and Linux logfiles by path separator 
A previous commit added a log source detailing *.log files with
product: linux. This caused linux specific Sigma rules to apply to
all *.log file, including those on Windows. To distinguish these
cases, expand the file path pattern to include the typical start
for unix / windows paths ( / vs [A-Z]:\ )
 2021-04-28 11:45:19 +02:00
Florian Roth d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth 66d0f910dd feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00
Florian Roth 08234c4620 Revert "fix: splunk for windows config errors" 
This reverts commit 13347df263.
 2021-04-25 21:52:29 +02:00
Florian Roth d766c12888 feat: generic categories - thor config 2021-04-23 17:47:09 +02:00
Florian Roth c7ce9154d1 Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
phantinuss 95fa99b4a3 search generic log files for product: linux 2021-04-23 12:00:48 +02:00
Florian Roth 64f5af4c45 Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth 13347df263 fix: splunk for windows config errors 2021-04-23 09:50:13 +02:00
Thomas Patzke 35e6e515ba Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield 
Fix es-dsl aggregation generation when aggfield is not given
 2021-04-20 10:35:16 +02:00
Cedric Hien 2ff27aa980 Fix SyntaxWarning for 'is' on fireeye-helix backend 2021-04-17 12:55:13 +02:00
Steven 7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven 850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
herrBez 3b30a91185 Fix es-dsl aggregation generation when aggfield is not given 
Related to #542 and #543
 2021-04-06 16:41:46 +02:00
Thomas Patzke 5118be6bf6 Merge pull request #1407 from JohnConnorRF/winlogbeat_config_update 
Update winlogbeat configuration file to support File Product details
 2021-04-06 00:51:27 +02:00
Thomas Patzke 82fd5ca233 Merge pull request #1408 from roysjosh/es-rule-threshold 
Implement Elastic threshold detection rules
 2021-04-06 00:50:50 +02:00
Thomas Patzke d789eb9c6f Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions 
Elastic: raise an error from the base backend if a rule has multiple conditions
 2021-04-06 00:50:05 +02:00
Thomas Patzke 9606fc9c38 Merge pull request #1411 from wietze/mdatp_improvements 
Various Defender for Endpoint (mdatp) bug fixes
 2021-04-06 00:37:40 +02:00