security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,241 Commits 1 Branch 57 Tags
1c0c29f45f554d65d30a1dfbf8fd9cb77c192546
Commit Graph

501 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 3bd12552bb feat: add bitlocker channel 2023-01-02 22:19:32 +01:00
frack113 c261c1773d Update mapping 2023-01-02 19:33:24 +01:00
frack113 3527436897 Update mapping 2023-01-02 19:31:00 +01:00
frack113 a1a94a0b66 Update W3C field name 2023-01-02 16:39:55 +01:00
frack113 aee5ca7afc Fix invalid field cast or name (#3841) 2022-12-30 11:46:21 +01:00
frack113 1d2269922f Merge pull request #3697 from redsand/hawk_backend_update 
Hawk backend update
 2022-12-23 21:07:03 +01:00
frack113 316aa03efd Update hawk.yml 2022-12-23 20:59:40 +01:00
frack113 2f945478dc Fix duplicate 2022-12-15 17:54:34 +01:00
frack113 544081f3c7 Space remove 2022-12-15 12:55:18 +01:00
redsand (Tim Shelton) b53f534d2f Merge branch 'SigmaHQ:master' into hawk_backend_update 2022-11-15 11:39:46 -06:00
Tim Shelton 9e26ad75da HAWK backend configuration update and bug fix. 2022-11-15 17:38:29 +00:00
Nasreddine Bencherchali a67ab607a1 feat: add Microsoft-Windows-LDAP-Client/Debug provider 2022-11-15 11:39:42 +01:00
Nasreddine Bencherchali a605380279 fix: fix broken mapping 2022-11-15 11:39:28 +01:00
Nasreddine Bencherchali 2f5fe64099 Update service to openssh 2022-10-25 20:01:02 +02:00
Nasreddine Bencherchali 9b7af82e23 Add OpenSSH/Operational 2022-10-25 19:07:53 +02:00
Nasreddine Bencherchali 14c08635ef Add PowerShellCore Channel 2022-10-19 00:07:09 +02:00
phantinuss 40f64a6b69 fix: unneeded fieldmapping for THOR/Aurora 2022-10-12 16:17:18 +02:00
frack113 85d33e4af9 Merge pull request #3525 from vastlimits/feature/ame-7.0 
Updated uberAgent backend to support version 7.0.
 2022-10-06 06:42:57 +02:00
Tim Shelton febeadfb4c BACKEND: updating production config 2022-10-05 19:43:39 +00:00
mpgn 652447696b Update datadog sigmac 2022-09-28 08:30:03 -04:00
Yamato Security 979502921f define security-mitigations service 2022-09-28 06:23:50 +09:00
Sven Scharmentke 5d9edbbb28 Merge remote-tracking branch 'origin/master' into feature/ame-6.3 2022-09-27 09:48:24 +02:00
frack113 dd1fed29a0 Add shell-core service 2022-09-27 06:36:01 +02:00
Yamato Security 048de3fc81 add diagnosis-scripted to windows services file 2022-09-27 10:43:38 +09:00
phantinuss 119cfe9558 fix: missing WinEventLog prefix for splunk/thor logsources 2022-08-23 11:50:15 +02:00
Florian Roth fbc7519b94 Merge pull request #3385 from nasbench/nasbench-rule-devel 
Update Sysmon Config
 2022-08-17 09:29:54 +02:00
frack113 4abd506a4c Merge pull request #3387 from redsand/backend_hawk_config_update_before_pysigma_migration 
Backend: hawk. last update to config until pySigma migration (hopefully)
 2022-08-16 22:13:29 +02:00
Tim Shelton 726406f64d Backend: hawk. last udpate to config until pySigma migration (hopefully) 2022-08-16 19:58:16 +00:00
Nasreddine Bencherchali f37fd2375b Update config 2022-08-16 20:18:46 +01:00
Nasreddine Bencherchali d5133bcdd7 Update Sysmon 2022-08-16 19:47:44 +01:00
Nasreddine Bencherchali 6407089a40 Change service to diagnosis scripted 2022-08-15 12:45:12 +01:00
Nasreddine Bencherchali d09037c9ad Add 2 New EventLog Sources 
- Microsoft-Windows-Shell-Core/Operational
- Microsoft-Windows-Diagnosis-Scripted/Operational
 2022-08-14 21:38:36 +01:00
Florian Roth 8041ab5130 Merge pull request #3325 from nasbench/nasbench-rule-devel 
Update+New Rules
 2022-08-05 23:42:09 +02:00
Nasreddine Bencherchali f2bec5c6af Update provider + rules 2022-08-04 21:58:07 +01:00
Nasreddine Bencherchali a073590c2f Add Security-Mitigations-User Mode log 2022-08-04 13:44:55 +01:00
Sven Scharmentke b3088d45b4 Merge branch 'master' into feature/ame-6.3 2022-08-04 09:43:23 +02:00
Phrozyn b9e78e4656 mitre_update: updates resulting json to current state 2022-08-03 14:05:34 -05:00
Florian Roth 3f402e3007 Merge pull request #3304 from d4rk-d4nph3/master 
Added rule for Defender DLL sideloading
 2022-08-03 10:46:37 +02:00
Tim Shelton 5f0347d94d Backend: adjusting http_path to match, along with expanding event_channel, since channel key has collisions 2022-08-02 23:39:49 +00:00
Florian Roth 87a0c9e1b9 Merge branch 'master' into master 2022-08-02 18:10:24 +02:00
Florian Roth afa0d77025 refactor: adding new channel to all backends 2022-08-02 18:08:29 +02:00
Bhabesh 4bbc1bc119 Support for Security-Mitigations provider 2022-08-02 13:32:22 +05:45
Tim Shelton b39ec30d06 Backend: hawk update to support boolean comparison values and some column translation updates 2022-07-29 13:56:15 +00:00
markoverholser 381c26fd94 Fix issue with using source: on Zeek files log 
Line 407 was `source: id.orig_h` so that people could use the word `source` as an alias to `id.orig_h`, however there is a literal field with the name `source` in the `files.log` for Zeek, so having a Sigma query with something like `source: 'SMTP'` would yield `id.orig_h='SMTP'` in the resulting Splunk translation, which is incorrect. It should be `source='SMTP'`

Commenting out line 407 fixes this.
 2022-07-19 15:16:20 -05:00
akshay-chaturvedi 4625d8fb6c Merge branch 'SigmaHQ:master' into dnif-backend 2022-07-13 17:30:17 +05:30
Florian Roth 955b3dc66b fix: missing Defender eventlog in splunk config 2022-07-06 12:41:34 +02:00
akshay.chaturvedi b80448a0e7 added new backend for DNIF queries 2022-06-30 13:03:54 +05:30
frack113 227eefc985 Merge pull request #3128 from f-block/patch-2 
ProviderName seems to be wrong
 2022-06-14 20:58:11 +02:00
Frank Block e10a9f0257 Re-added powershell related "ProviderName" mapping 2022-06-14 20:48:36 +02:00
Frank Block 1e0a9fd8c1 Mapping name "Provider_Name" instead of "ProviderName" 
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).

Instead, the identifier `Provider_Name` is used.
 2022-06-14 18:17:35 +02:00