979502921f
define security-mitigations service
2022-09-28 06:23:50 +09:00
dd1fed29a0
Add shell-core service
2022-09-27 06:36:01 +02:00
048de3fc81
add diagnosis-scripted to windows services file
2022-09-27 10:43:38 +09:00
ad6ddf5896
feat(backend): add support for linux.network_connection
...
Also remove evaluatorId
2022-09-20 13:47:17 -05:00
b9c7b79847
Merge pull request #3477 from elhoim/sigmac_deprecation_warning
...
Added deprecating warning in sigmac with color
2022-09-10 15:43:35 +02:00
97cecc6de7
Merge pull request #3479 from elhoim/add_sigmac_deprecation_readme
...
Add deprecation notice in README page
2022-09-10 12:34:07 +02:00
c6e633bf30
Release 0.22.1
2022-09-09 22:48:08 +02:00
7afcf24d21
Splunk puts AND always into parentheses
...
New fix for issue #3443
2022-09-09 22:30:00 +02:00
3396414bda
Revert "Wrapped all-modifier result into NodeSubexpression"
...
This reverts commit 1fbd2bba4d
2022-09-09 22:26:13 +02:00
607521f6bd
Added depcration notice in README page
2022-09-09 12:33:00 +02:00
6b9470f8e4
New message as requested.\n Only displayed on full help and when no arguments is passed
2022-09-09 12:24:30 +02:00
9711afd0d6
Added deprecating warning in sigmac with color
2022-09-09 09:08:50 +02:00
57243e91e7
Sigmatools release 0.22
2022-09-08 21:24:23 +02:00
1fbd2bba4d
Wrapped all-modifier result into NodeSubexpression
...
Fixes sigmac splunk backend: Wrong conversion for |contains|all #3443
2022-09-08 17:57:36 +02:00
19dea55e2c
Merge branch 'windash'
2022-09-08 09:34:19 +02:00
119cfe9558
fix: missing WinEventLog prefix for splunk/thor logsources
2022-08-23 11:50:15 +02:00
03a6a5b48b
Update Sqlite backend to handle null values
2022-08-20 12:23:00 +02:00
fbc7519b94
Merge pull request #3385 from nasbench/nasbench-rule-devel
...
Update Sysmon Config
2022-08-17 09:29:54 +02:00
4abd506a4c
Merge pull request #3387 from redsand/backend_hawk_config_update_before_pysigma_migration
...
Backend: hawk. last update to config until pySigma migration (hopefully)
2022-08-16 22:13:29 +02:00
726406f64d
Backend: hawk. last udpate to config until pySigma migration (hopefully)
2022-08-16 19:58:16 +00:00
f37fd2375b
Update config
2022-08-16 20:18:46 +01:00
d5133bcdd7
Update Sysmon
2022-08-16 19:47:44 +01:00
6407089a40
Change service to diagnosis scripted
2022-08-15 12:45:12 +01:00
d09037c9ad
Add 2 New EventLog Sources
...
- Microsoft-Windows-Shell-Core/Operational
- Microsoft-Windows-Diagnosis-Scripted/Operational
2022-08-14 21:38:36 +01:00
ac203f99b5
Restore ruamel in sigmac to allow output in YAML
...
This commit definitely fix the #3337 issue. The commit #3349 restored the commented lines but the ruamel import was not in it.
2022-08-10 11:42:27 +02:00
b13c37ad75
Fix issue 3337
2022-08-10 07:42:50 +02:00
8041ab5130
Merge pull request #3325 from nasbench/nasbench-rule-devel
...
Update+New Rules
2022-08-05 23:42:09 +02:00
f2bec5c6af
Update provider + rules
2022-08-04 21:58:07 +01:00
a073590c2f
Add Security-Mitigations-User Mode log
2022-08-04 13:44:55 +01:00
b9e78e4656
mitre_update: updates resulting json to current state
2022-08-03 14:05:34 -05:00
3f402e3007
Merge pull request #3304 from d4rk-d4nph3/master
...
Added rule for Defender DLL sideloading
2022-08-03 10:46:37 +02:00
41bbb39f99
Merge pull request #3317 from redsand/backend_hawk_http_path_resolve
...
Backend: adjusting http_path to match, along with expanding event_cha…
2022-08-03 06:30:25 +02:00
5f0347d94d
Backend: adjusting http_path to match, along with expanding event_channel, since channel key has collisions
2022-08-02 23:39:49 +00:00
87a0c9e1b9
Merge branch 'master' into master
2022-08-02 18:10:24 +02:00
afa0d77025
refactor: adding new channel to all backends
2022-08-02 18:08:29 +02:00
4bbc1bc119
Support for Security-Mitigations provider
2022-08-02 13:32:22 +05:45
d47f32cb0f
chore: Remove DEFAULT_EVAL_FREQUENCY global
...
Signed-off-by: Rachel Rice <rachel.rice@lacework.net >
2022-08-01 16:26:58 +01:00
197953e816
chore: Remove evalFrequency from Lacework backend
...
evalFrequency has been deprecated; it is no longer required for policies.
Signed-off-by: Rachel Rice <rachel.rice@lacework.net >
2022-08-01 16:12:13 +01:00
b39ec30d06
Backend: hawk update to support boolean comparison values and some column translation updates
2022-07-29 13:56:15 +00:00
381c26fd94
Fix issue with using source: on Zeek files log
...
Line 407 was `source: id.orig_h` so that people could use the word `source` as an alias to `id.orig_h`, however there is a literal field with the name `source` in the `files.log` for Zeek, so having a Sigma query with something like `source: 'SMTP'` would yield `id.orig_h='SMTP'` in the resulting Splunk translation, which is incorrect. It should be `source='SMTP'`
Commenting out line 407 fixes this.
2022-07-19 15:16:20 -05:00
4625d8fb6c
Merge branch 'SigmaHQ:master' into dnif-backend
2022-07-13 17:30:17 +05:30
d15f3d738b
Merge pull request #3207 from SigmaHQ/rule-devel
...
fix: missing Windows Defender source, rule: Proxy UA Base64
2022-07-08 11:14:00 +02:00
d03f6df250
Reference Update [Batch 1]
2022-07-07 15:24:15 +01:00
955b3dc66b
fix: missing Defender eventlog in splunk config
2022-07-06 12:41:34 +02:00
8ff679a42d
update test and readme
2022-06-30 18:41:56 +05:30
b80448a0e7
added new backend for DNIF queries
2022-06-30 13:03:54 +05:30
1249675bcd
Adding a mapping check to escape slashes in KQL
2022-06-18 09:02:21 -04:00
32b4a836b8
using deepcopy to clone previous rule
2022-06-16 12:19:14 +08:00
227eefc985
Merge pull request #3128 from f-block/patch-2
...
ProviderName seems to be wrong
2022-06-14 20:58:11 +02:00
e10a9f0257
Re-added powershell related "ProviderName" mapping
2022-06-14 20:48:36 +02:00
Yamato Security