blue-team-tools

Author	SHA1	Message	Date
Thomas Patzke	b0f59faac3	Fixed type hint causing issues	2023-01-07 00:37:47 +01:00
Nasreddine Bencherchali	a25027fef8	fix: rename links from old repo to SigmaHQ	2022-12-27 21:05:16 +01:00
Tim Shelton	9e26ad75da	HAWK backend configuration update and bug fix.	2022-11-15 17:38:29 +00:00
tr0mb1r	27b8b85230	Update elasticsearch.py Example: 'threshold': { 'field': [ 'host.name', ], 'value': 10, 'cardinality': [ { 'field': 'process.parent.name', 'value': 1, }, ], }	2022-11-07 12:46:09 +04:00
$frack113$ frack113	85d33e4af9	Merge pull request #3525 from vastlimits/feature/ame-7.0 Updated uberAgent backend to support version 7.0.	2022-10-06 06:42:57 +02:00
mpgn	652447696b	Update datadog sigmac	2022-09-28 08:30:03 -04:00
Sven Scharmentke	5d9edbbb28	Merge remote-tracking branch 'origin/master' into feature/ame-6.3	2022-09-27 09:48:24 +02:00
David Hazekamp	ad6ddf5896	feat(backend): add support for linux.network_connection Also remove evaluatorId	2022-09-20 13:47:17 -05:00
$frack113$ frack113	b9c7b79847	Merge pull request #3477 from elhoim/sigmac_deprecation_warning Added deprecating warning in sigmac with color	2022-09-10 15:43:35 +02:00
Thomas Patzke	7afcf24d21	Splunk puts AND always into parentheses New fix for issue #3443	2022-09-09 22:30:00 +02:00
Thomas Patzke	3396414bda	Revert "Wrapped all-modifier result into NodeSubexpression" This reverts commit `1fbd2bba4d`.	2022-09-09 22:26:13 +02:00
David ANDRE	6b9470f8e4	New message as requested.\n Only displayed on full help and when no arguments is passed	2022-09-09 12:24:30 +02:00
David ANDRE	9711afd0d6	Added deprecating warning in sigmac with color	2022-09-09 09:08:50 +02:00
Thomas Patzke	1fbd2bba4d	Wrapped all-modifier result into NodeSubexpression Fixes sigmac splunk backend: Wrong conversion for \|contains\|all #3443	2022-09-08 17:57:36 +02:00
Thomas Patzke	19dea55e2c	Merge branch 'windash'	2022-09-08 09:34:19 +02:00
Wagga	03a6a5b48b	Update Sqlite backend to handle null values	2022-08-20 12:23:00 +02:00
Wagga	ac203f99b5	Restore ruamel in sigmac to allow output in YAML This commit definitely fix the #3337 issue. The commit #3349 restored the commented lines but the ruamel import was not in it.	2022-08-10 11:42:27 +02:00
$frack113$ frack113	b13c37ad75	Fix issue 3337	2022-08-10 07:42:50 +02:00
Sven Scharmentke	b3088d45b4	Merge branch 'master' into feature/ame-6.3	2022-08-04 09:43:23 +02:00
Rachel Rice	d47f32cb0f	chore: Remove DEFAULT_EVAL_FREQUENCY global Signed-off-by: Rachel Rice <rachel.rice@lacework.net>	2022-08-01 16:26:58 +01:00
Rachel Rice	197953e816	chore: Remove evalFrequency from Lacework backend evalFrequency has been deprecated; it is no longer required for policies. Signed-off-by: Rachel Rice <rachel.rice@lacework.net>	2022-08-01 16:12:13 +01:00
Tim Shelton	b39ec30d06	Backend: hawk update to support boolean comparison values and some column translation updates	2022-07-29 13:56:15 +00:00
akshay.chaturvedi	b80448a0e7	added new backend for DNIF queries	2022-06-30 13:03:54 +05:30
Alexander McDonald	1249675bcd	Adding a mapping check to escape slashes in KQL	2022-06-18 09:02:21 -04:00
ChiYang Tsai	32b4a836b8	using deepcopy to clone previous rule	2022-06-16 12:19:14 +08:00
$frack113$ frack113	6bd09ec054	Merge pull request #3114 from hazedav/self-join-filter feat(backend): support for parent process filters	2022-06-09 08:16:13 +02:00
David Hazekamp	c1b5551486	feat(backend): bump lacework config version	2022-06-08 23:41:54 -05:00
David Hazekamp	fea9602210	feat(backend): support for parent process filters	2022-06-08 23:39:32 -05:00
Tim Shelton	4d7d0b3235	backend - updating hawk backend with additional translations	2022-06-08 19:04:37 +00:00
David Hazekamp	323298ba91	fix(backend): use subexp when OR list items	2022-06-03 14:54:35 -05:00
Maxime Lamothe-Brassard	3fdaf8b9f1	Support alternate case for OriginalFileName.	2022-05-27 11:01:22 -07:00
Tim Shelton	b339901806	Backend: because hawk splits up SYSTEM and NT AUTHORITY, additional treatment is needed on some rules	2022-05-23 23:52:52 +00:00
Thomas Patzke	01ffec65fe	Merge pull request #2994 from ablescia/feat-hedera_backend Hedera Backend - C# dynamic LINQ	2022-05-18 23:23:51 +02:00
Tim Shelton	c64197233d	fixing error in translation	2022-05-10 02:19:23 +00:00
Tim Shelton	50a4a02364	adding additional field with ip_src as initial cardinal	2022-05-10 01:51:37 +00:00
Tim Shelton	8674e26218	adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example	2022-05-10 01:50:46 +00:00
Tim Shelton	6aa0064c28	adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples	2022-05-09 23:23:07 +00:00
Antonio Blescia	feca339bfc	created hedera backend file	2022-05-08 15:59:14 +02:00
Tim Shelton	bd51eb4c72	adding additional filter for string	2022-05-04 15:27:23 +00:00
Tim Shelton	ad003de3fb	Fixing mismatch of sigs when using system/app/security and additional matching against provider name	2022-05-04 14:58:02 +00:00
tungnd27	9d7a7f7896	Add StreamAlert backend	2022-05-03 17:32:19 +07:00
Sven Scharmentke	616dce35e2	Implemented RuleId property & use Generic fields as they are matched.	2022-05-03 01:08:12 +02:00
Sven Scharmentke	0d2189cfa2	Merge branch 'SigmaHQ:master' into feature/ame-6.3	2022-05-03 00:02:13 +02:00
Thomas Patzke	f6ec8de586	Modifier support for conditional expressions	2022-05-02 23:22:16 +02:00
Thomas Patzke	512dad2185	Removed debugging code	2022-05-02 00:43:42 +02:00
Thomas Patzke	9ee0d29d68	Windash modifier	2022-05-02 00:38:21 +02:00
Thomas Patzke	58dea50656	Fix: Subexpression with OR instead of OR	2022-05-01 23:17:33 +02:00
Thomas Patzke	184b6bb244	Wrapping base64offset modified expansion group into ConditionOR	2022-05-01 23:07:25 +02:00
Tim Shelton	eb0bcd7c9f	updating hawk field translation, and bug when an author field is not present in a sig	2022-04-28 19:54:00 +00:00
secops4thewin	4442bb6982	Removed empty line	2022-04-28 13:18:11 +10:00

1 2 3 4 5 ...

822 Commits