2ecc55c13f
Merge pull request #351 from ipninichuck/master
...
added metadata field to the watcher alert
2019-05-28 21:42:27 +02:00
f3edc39535
Merge pull request #346 from tuckner/master
...
Add Azure Log Analytics / Azure Sentinel to README list of integrations
2019-05-28 21:41:19 +02:00
36ba9f78da
Improved message if configuration is missing
2019-05-27 13:18:36 +02:00
7c1e856095
Merge pull request #353 from lprat/master
...
Add rule for CVE-2019-0708
2019-05-27 09:11:17 +02:00
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
84690280c5
Improved behavior on missing configuration
...
Listing all configus usable with chosen backend
2019-05-24 22:41:47 +02:00
241d814221
Merged WannaCry rules
2019-05-24 22:17:36 +02:00
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
7b63c92fc0
Rule: applying recommendation
...
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
2019-05-23 09:44:25 +02:00
253417a367
Merge pull request #350 from olafhartong/master
...
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 13:54:45 +02:00
75ec169d5c
added metadata field to the watcher alert
...
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
2019-05-22 04:30:47 -07:00
b60cfbe244
Added password flag
2019-05-22 13:20:26 +02:00
346022cfe8
Transformed to process creation rule
2019-05-22 12:50:49 +02:00
4a775650a2
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:36:03 +02:00
e675cdf9c4
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:32:07 +02:00
544dfe3704
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:28:42 +02:00
c937fe3c1b
Rule: Terminal Service Process Spawn
2019-05-22 10:38:27 +02:00
74ca0eeb88
Rule: Renamed PsExec
2019-05-21 09:49:40 +02:00
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
7d10491bf2
Update README.md
2019-05-20 17:46:28 -05:00
5867b5da74
Update README.md
2019-05-20 17:45:18 -05:00
194afa739f
Generate rule name for each condition
...
In backends kibana and xpack-watcher.
Fixes #329
2019-05-21 00:36:19 +02:00
af0bd1b082
Removed debug code from backend option handling
...
Additionally: code simplification
2019-05-21 00:21:52 +02:00
97541ac267
Added -C shortcut for --backend-config
2019-05-21 00:15:01 +02:00
7e163d71eb
Added option to use old URL in xpack-watcher backend
2019-05-21 00:01:21 +02:00
4e63e925cf
Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1
2019-05-20 23:43:49 +02:00
11ed7e7ef8
Check for valid configuration/backend combinations
2019-05-20 01:00:33 +02:00
e271484eef
Load configurations via new config management
2019-05-20 00:27:35 +02:00
3d20e0bc98
Sigma configuration management with listing
...
Missing:
* Use config by identifier
2019-05-17 09:13:59 +02:00
71ff6bd943
Catch type errors in configuration handling
2019-05-16 23:34:44 +02:00
36aeb19721
Added title to all configurations
2019-05-16 23:33:51 +02:00
f86342012a
Update elasticsearch.py
...
From ElasticSearch 7.0, the URI to access to Watcher API changes
Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
2019-05-16 16:17:57 +02:00
9e2345c491
Merge pull request #338 from yt0ng/development
...
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 21:35:52 +02:00
a6d2a5d79b
fix: more general fixes of the var type issue
2019-05-15 21:25:53 +02:00
9f1bbb0a0d
fix: missing type check in WDATP backend
2019-05-15 21:20:20 +02:00
694fa567b6
Reformatted
2019-05-15 20:22:53 +02:00
1c36bfde79
Bugfix - Swisscom in Newline
2019-05-15 15:03:55 +02:00
d5f49c5777
Fixed syntax
2019-05-15 14:50:57 +02:00
508d1cdae0
Removed double back slashes
2019-05-15 14:46:45 +02:00
13522b97a7
Adjusting Newline
2019-05-15 12:15:41 +02:00
275896dbe6
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 11:47:12 +02:00
5dfe39c05b
Merge pull request #335 from Codehardt/master
...
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 14:06:11 +02:00
1ca57719b0
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:37:12 +02:00
1c2bc87946
Merge pull request #334 from Codehardt/master
...
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:19:56 +02:00
6585c83077
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:13:35 +02:00
526468bec3
Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url
...
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
2019-05-10 00:31:33 +02:00
f4d8dcaa1e
Merge branch 'Karneades-patch-1'
2019-05-10 00:21:15 +02:00
25c0330dca
Added filter
2019-05-10 00:20:56 +02:00
995c03eef9
Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1
2019-05-10 00:15:51 +02:00
a361664ed2
Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix
...
Correct parenthesization for NOT expressions in the ES-QS backend
2019-05-10 00:14:29 +02:00
Thomas Patzke