security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,012 Commits 1 Branch 57 Tags
230562bdf6c0bb3a040ae2afae9773247dc5acd6
Commit Graph

462 Commits

Author SHA1 Message Date
Florian Roth 230562bdf6 Merge pull request #1278 from K-Yo/update-navigator-v4 
Update navigator v4
 2020-11-10 13:34:46 +01:00
Florian Roth c087e39698 Merge pull request #1277 from K-Yo/fix-unicode-error 
Fix unicode error in sigma2attack
 2020-11-10 13:34:05 +01:00
Hendrik 96e90fbff2 Fix recursion of rules 2020-11-06 12:43:52 +01:00
Olivier Caillault 34f24a60a1 Updating attack navigator version to v4.0 2020-11-05 23:37:01 +01:00
Hendrik bf5d40eec3 New Backend - Kibana NDJSON 
Tested against 7.9.3
 2020-11-05 23:34:25 +01:00
Olivier Caillault 31639366cd Fix unicode error in sigma2attack 2020-11-05 22:30:12 +01:00
Thomas Patzke f0e89b0c8c Fixed: typecheck in sumologig-cse 2020-10-23 19:49:55 +02:00
Thomas Patzke 2fb7dd5e99 Fixes 
* Removed Splunk regex query
* Added test for sumologic-cse backend
 2020-10-23 15:31:00 +02:00
Thomas Patzke 9dc806448c Merge branch 'master' of https://github.com/socprime/sigma into pr-1049 2020-10-23 14:57:25 +02:00
vh 383823f49a Fix: added default value of current_table 2020-10-21 10:12:17 +03:00
vh f45e45d736 Fix: Import SigmaRegularExpressionModifier in the splunk backend. 2020-10-20 18:13:53 +03:00
Thomas Patzke 976fc92b22 Merge pull request #971 from alan8trend/parse_nested_parentheses 
Add support nested parentheses for Sigma condition
 2020-10-12 23:30:36 +02:00
Thomas Patzke e8cdd4777a Merge pull request #1026 from ryanplasma/fix-pymisp-error 
Fix error with pymisp in sigma2misp
 2020-10-12 23:14:13 +02:00
vh 51df5ad876 Added: 
Sumo Logic CSE Rule Backend

Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
 2020-10-06 15:07:52 +03:00
Florian Roth d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Ryan Plas cdbee4b531 Fix error with pymisp in sigma2misp 2020-09-29 12:01:33 -04:00
Thomas Patzke 378d9c94cf Merge branch 'master' of https://github.com/socprime/sigma into pr-981 2020-09-15 12:14:49 +02:00
snake-jump 5119f887c8 add Regular expression support 
Add Regular expression support for netwitness-epl backend
 2020-09-14 22:04:47 +02:00
snake-jump 531557465c delete raise exception in case of sigma key is keyword(s) 2020-09-14 16:00:03 +02:00
snake-jump 09f25cf992 delete sqlparse module usage 2020-09-10 19:05:55 +02:00
snake-jump e74846b767 modify comment 2020-09-10 18:09:15 +02:00
snake-jump 64035fd799 initial commit for Netwitness-EPL backend 2020-09-10 17:12:12 +02:00
vh a2fec9f3b9 Fix sysmon backend 2020-08-28 12:26:40 +03:00
Nate Guagenti f21b3c50c6 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:13:18 -04:00
Nate Guagenti a7ffb96b6b elasticsearch regex escape of '.' for case insensitivity backend options 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:10:25 -04:00
Nate Guagenti 76910eaee4 fix sub field name usage if there are 3 or more fields.. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:57 -04:00
Nate Guagenti 0d713e4544 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:33 -04:00
tung12 1921e9dd89 Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00
SOC Prime d3ba1e4fb8 Add sysmon backend 2020-08-18 11:20:22 +03:00
Thomas Patzke 01125ffd3b Fixed: Elastalert backend handling of conditional field mappings 2020-08-11 23:29:18 +02:00
alan tseng e9af2fb119 support nested conditions for Sigma 
The parser finds the close token in pairs with left token.
So the parser will support nested parentheses in the conditions.
 2020-08-07 14:58:32 +08:00
bar 8352eefe22 STIX Support keywords (value without field) 2020-07-28 18:52:02 +03:00
bar 32cf352236 Merge remote-tracking branch 'upstream/master' 2020-07-26 14:56:06 +03:00
Thomas Patzke dcb07bab2f Merge pull request #949 from 0xballistics/powershell_backend_fix 
partial(?) fix of #762
 2020-07-25 10:18:05 +02:00
Simran Soin c329f6412d Fix bug with NOT handling 2020-07-23 11:47:55 -04:00
Simran Soin 6c7b4cf408 Revert additional change in base.py 2020-07-23 10:47:22 -04:00
Simran Soin ef9af3730a Remove unnecessary edits from qradar.py 2020-07-23 10:34:29 -04:00
Simran Soin 0e49a6acdf Default NOT to false for all functions 2020-07-23 10:18:16 -04:00
Simran Soin 0fac21f4a3 Remove modifications from base file and override in stix.py 2020-07-23 10:13:30 -04:00
Simran Soin 30ff22776a Fix NOT bug 2020-07-23 09:41:33 -04:00
David Straßegger 875360f373 fixed wrong function call for elastalert aggregation. fixes #940 2020-07-20 14:32:30 +02:00
Aidan Bracher e0476d5ce6 Merge branch 'master' of git://github.com/Neo23x0/sigma 2020-07-15 16:35:29 +01:00
Aidan Bracher 1e5ee5823c Fix for indentation issue 
Wrong indentation of line 182 meant that even where config options
were given, the default per backend was being used, rendering
custom config useless.
 2020-07-15 16:29:27 +01:00
bar 50ef79b398 Custom STIX object "x-sigma" for fields that missing mapping, so the pattern is STIX valid 2020-07-08 14:09:26 +03:00
Thomas Patzke 9bcff522b6 Merge branch 'master' of https://github.com/rashimo/sigma into pr-709 2020-07-07 23:12:03 +02:00
bar acbab2db4b stix backend + mapping configurations for windows logs and qradar 2020-07-07 15:04:16 +03:00
Thomas Patzke 57cb255208 Merge pull request #864 from cclauss/patch-3 
Fix undefined names in sigma2misp.py
 2020-07-05 23:16:22 +02:00
Chris Brake 6ed1ea6509 Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType 2020-06-30 14:49:29 +01:00
Christian Clauss 9dc3940c07 Fix undefined names in sigma2misp.py 
create_new_event() -> create_new_event(args, misp) to fix:

flake8 testing of https://github.com/Neo23x0/sigma on Python 3.8.3

% _flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics_
```
./tools/sigma/sigma2misp.py:11:16: F821 undefined name 'misp'
    if hasattr(misp, "new_event"):
               ^
./tools/sigma/sigma2misp.py:12:16: F821 undefined name 'misp'
        return misp.new_event(info=args.info)["Event"]["id"]
               ^
./tools/sigma/sigma2misp.py:12:36: F821 undefined name 'args'
        return misp.new_event(info=args.info)["Event"]["id"]
                                   ^
./tools/sigma/sigma2misp.py:14:13: F821 undefined name 'misp'
    event = misp.MISPEvent()
            ^
./tools/sigma/sigma2misp.py:15:18: F821 undefined name 'args'
    event.info = args.info
                 ^
./tools/sigma/sigma2misp.py:16:12: F821 undefined name 'misp'
    return misp.add_event(event)["Event"]["id"]
           ^
6     F821 undefined name 'misp'
6
```
 2020-06-28 07:02:41 +02:00
Thomas Patzke 0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00