1fc408bfaa
fix: duplicate field values in YAML configs
2021-03-20 08:49:43 +01:00
a08571be91
Merge branch 'master' of https://github.com/Neo23x0/sigma
2021-02-28 21:57:51 +01:00
6995e6378b
Added LGPL to distribution
2021-02-28 21:32:38 +01:00
e1f43f17c2
fixed various spelling errors all over rules and source code
2021-02-24 14:43:13 +00:00
e248012783
Release 0.19
2021-02-23 21:27:14 +01:00
5cfd837776
Removed irrelevant type check in fieldlist backend
...
Fixes issue #1351
2021-02-23 21:15:29 +01:00
74ae89833f
Added long description to PyPI distribution
2021-02-23 21:06:25 +01:00
4aa7505b40
Updated fields to align with MS Advanced Threat Hunting Schema. Standardised and sorted fields across schemas.
2021-02-04 11:54:29 +00:00
921ebf7445
Optimizing Qradar query generation in cases where field definitions are missing
2021-01-26 15:24:44 +01:00
ac3730d2fa
Fixing Qradar implementation for create valid AQL queries
2021-01-25 15:37:05 +01:00
89a4e48b0a
bugfix field support
2021-01-22 09:28:23 +01:00
11c216629b
fix: thor sources for applocker with wrong prefix
2021-01-07 12:27:37 +01:00
789dfb3f47
Merge pull request #1291 from lprat/fix_issue_1285
...
fix issue 1285
2020-12-30 23:06:38 +01:00
675d93ee3d
Replaced string comparison with isinstance
2020-12-30 22:50:13 +01:00
1bb0963784
Moved set_size option to class where it's used
2020-12-30 22:25:57 +01:00
ac55c7fdd4
Merge branch 'elasticsearch_backend' of https://github.com/WuerthIT/sigma into pr-1308
2020-12-30 22:18:13 +01:00
fa6f75f07e
Update sumologic.yml
...
The commit from vihreb on October 6, 2020 (https://github.com/Neo23x0/sigma/commit/51df5ad8764cd6896a3ef83ad388aebc136d5815 ) removed some items from the allowed fields list for the sumologic backend (https://github.com/Neo23x0/sigma/blob/51df5ad8764cd6896a3ef83ad388aebc136d5815/tools/sigma/backends/sumologic.py#L161 ) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."
I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.
Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
2020-12-28 16:46:32 -05:00
7e6f01f611
elasticsearch backend: new parameter and fields support
2020-12-14 16:07:09 +01:00
d1f7a206b9
Merge pull request #1289 from weslambert/master
...
Fix typo
2020-12-13 19:04:07 +01:00
97fcae56fd
Update sigmac.py
2020-12-06 20:08:00 +01:00
4a4d3e1d35
Update sigmac.py
2020-12-04 18:22:24 +01:00
a40ef7360d
Add sigmac flag to delimit results by NUL instead of \n
2020-12-04 18:05:23 +01:00
578d2f0585
Merge pull request #1283 from 404d/mdatp-fixes
...
mdatp: Mapping and generic event changes, case insensitive search
2020-11-29 21:56:17 +01:00
ad899899ab
Updated winlogbeat.yml config to include OriginalFileName
2020-11-26 14:48:14 -05:00
3a7c114ca3
Fix field mapping for DestinationHostname
2020-11-26 04:17:28 +01:00
0ed54a6cae
Merge pull request #1290 from arollyson/helix_backend
...
Backend: FireEye Helix
2020-11-21 00:06:19 +01:00
7ca368d1ed
fix issue 1285
...
https://github.com/Neo23x0/sigma/issues/1285
2020-11-20 16:42:20 +01:00
83b8af6cd2
Add FirEye Helix backend
2020-11-19 11:18:28 -05:00
832e582b8d
Fix typo
2020-11-17 17:44:40 -05:00
9944c0e563
Merge branch 'master' into pr/1267
2020-11-17 14:33:55 +01:00
c5c6557ca2
Merge pull request #1256 from vastlimits/master
...
Backend: uberAgent ESA converter backend
2020-11-17 14:29:01 +01:00
eed4fe04d5
added role name field to ecs-cloudtrail.
2020-11-13 05:59:55 +05:00
c0a7cdc3de
mdatp: Use case-insensitive searches by default
...
This sohuld match the draft Sigma specification as well as other backends
2020-11-12 14:09:30 +01:00
a75d4fb561
mdatp: Add more field mappings and table<->generic event mappings, skip IMPHASH as it's not supported
2020-11-12 13:15:38 +01:00
446b0b7f9d
Merge branch 'master_origin'
2020-11-11 12:32:53 +01:00
a58d04e4df
Rules: Support image_load
2020-11-11 12:31:55 +01:00
43b9b17767
Merge pull request #1281 from andurin/kibana-ndjson-configs
...
kibana-ndjson for all configs which already have kibana
2020-11-11 07:34:37 +01:00
230562bdf6
Merge pull request #1278 from K-Yo/update-navigator-v4
...
Update navigator v4
2020-11-10 13:34:46 +01:00
c087e39698
Merge pull request #1277 from K-Yo/fix-unicode-error
...
Fix unicode error in sigma2attack
2020-11-10 13:34:05 +01:00
7e742cc049
kibana-ndjson for all configs which already have kibana
2020-11-09 08:46:17 +01:00
96e90fbff2
Fix recursion of rules
2020-11-06 12:43:52 +01:00
34f24a60a1
Updating attack navigator version to v4.0
2020-11-05 23:37:01 +01:00
bf5d40eec3
New Backend - Kibana NDJSON
...
Tested against 7.9.3
2020-11-05 23:34:25 +01:00
31639366cd
Fix unicode error in sigma2attack
2020-11-05 22:30:12 +01:00
90e211bad8
Create ecs-suricata.yml
2020-11-01 21:21:04 -03:00
f0e89b0c8c
Fixed: typecheck in sumologig-cse
2020-10-23 19:49:55 +02:00
2fb7dd5e99
Fixes
...
* Removed Splunk regex query
* Added test for sumologic-cse backend
2020-10-23 15:31:00 +02:00
9dc806448c
Merge branch 'master' of https://github.com/socprime/sigma into pr-1049
2020-10-23 14:57:25 +02:00
383823f49a
Fix: added default value of current_table
2020-10-21 10:12:17 +03:00
ca852eca0e
PR Review: Minor fixes
2020-10-21 08:54:50 +02:00
Florian Roth