security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
12,978 Commits 1 Branch 57 Tags
2ecf9ec7e16707513524c2f3c82fa471663cacad
Commit Graph

809 Commits

Author SHA1 Message Date
David Hazekamp ad6ddf5896 feat(backend): add support for linux.network_connection 
Also remove evaluatorId
 2022-09-20 13:47:17 -05:00
frack113 b9c7b79847 Merge pull request #3477 from elhoim/sigmac_deprecation_warning 
Added deprecating warning in sigmac with color
 2022-09-10 15:43:35 +02:00
Thomas Patzke 7afcf24d21 Splunk puts AND always into parentheses 
New fix for issue #3443
 2022-09-09 22:30:00 +02:00
Thomas Patzke 3396414bda Revert "Wrapped all-modifier result into NodeSubexpression" 
This reverts commit 1fbd2bba4d.
 2022-09-09 22:26:13 +02:00
David ANDRE 6b9470f8e4 New message as requested.\n Only displayed on full help and when no arguments is passed 2022-09-09 12:24:30 +02:00
David ANDRE 9711afd0d6 Added deprecating warning in sigmac with color 2022-09-09 09:08:50 +02:00
Thomas Patzke 1fbd2bba4d Wrapped all-modifier result into NodeSubexpression 
Fixes sigmac splunk backend: Wrong conversion for |contains|all #3443
 2022-09-08 17:57:36 +02:00
Thomas Patzke 19dea55e2c Merge branch 'windash' 2022-09-08 09:34:19 +02:00
Wagga 03a6a5b48b Update Sqlite backend to handle null values 2022-08-20 12:23:00 +02:00
Wagga ac203f99b5 Restore ruamel in sigmac to allow output in YAML 
This commit definitely fix the #3337 issue. The commit #3349 restored the commented lines but the ruamel import was not in it.
 2022-08-10 11:42:27 +02:00
frack113 b13c37ad75 Fix issue 3337 2022-08-10 07:42:50 +02:00
Rachel Rice d47f32cb0f chore: Remove DEFAULT_EVAL_FREQUENCY global 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-08-01 16:26:58 +01:00
Rachel Rice 197953e816 chore: Remove evalFrequency from Lacework backend 
evalFrequency has been deprecated; it is no longer required for policies.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-08-01 16:12:13 +01:00
Tim Shelton b39ec30d06 Backend: hawk update to support boolean comparison values and some column translation updates 2022-07-29 13:56:15 +00:00
akshay.chaturvedi b80448a0e7 added new backend for DNIF queries 2022-06-30 13:03:54 +05:30
Alexander McDonald 1249675bcd Adding a mapping check to escape slashes in KQL 2022-06-18 09:02:21 -04:00
ChiYang Tsai 32b4a836b8 using deepcopy to clone previous rule 2022-06-16 12:19:14 +08:00
frack113 6bd09ec054 Merge pull request #3114 from hazedav/self-join-filter 
feat(backend): support for parent process filters
 2022-06-09 08:16:13 +02:00
David Hazekamp c1b5551486 feat(backend): bump lacework config version 2022-06-08 23:41:54 -05:00
David Hazekamp fea9602210 feat(backend): support for parent process filters 2022-06-08 23:39:32 -05:00
Tim Shelton 4d7d0b3235 backend - updating hawk backend with additional translations 2022-06-08 19:04:37 +00:00
David Hazekamp 323298ba91 fix(backend): use subexp when OR list items 2022-06-03 14:54:35 -05:00
Maxime Lamothe-Brassard 3fdaf8b9f1 Support alternate case for OriginalFileName. 2022-05-27 11:01:22 -07:00
Tim Shelton b339901806 Backend: because hawk splits up SYSTEM and NT AUTHORITY, additional treatment is needed on some rules 2022-05-23 23:52:52 +00:00
Thomas Patzke 01ffec65fe Merge pull request #2994 from ablescia/feat-hedera_backend 
Hedera Backend - C# dynamic LINQ
 2022-05-18 23:23:51 +02:00
Tim Shelton c64197233d fixing error in translation 2022-05-10 02:19:23 +00:00
Tim Shelton 50a4a02364 adding additional field with ip_src as initial cardinal 2022-05-10 01:51:37 +00:00
Tim Shelton 8674e26218 adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example 2022-05-10 01:50:46 +00:00
Tim Shelton 6aa0064c28 adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples 2022-05-09 23:23:07 +00:00
Antonio Blescia feca339bfc created hedera backend file 2022-05-08 15:59:14 +02:00
Tim Shelton bd51eb4c72 adding additional filter for string 2022-05-04 15:27:23 +00:00
Tim Shelton ad003de3fb Fixing mismatch of sigs when using system/app/security and additional matching against provider name 2022-05-04 14:58:02 +00:00
tungnd27 9d7a7f7896 Add StreamAlert backend 2022-05-03 17:32:19 +07:00
Thomas Patzke f6ec8de586 Modifier support for conditional expressions 2022-05-02 23:22:16 +02:00
Thomas Patzke 512dad2185 Removed debugging code 2022-05-02 00:43:42 +02:00
Thomas Patzke 9ee0d29d68 Windash modifier 2022-05-02 00:38:21 +02:00
Thomas Patzke 58dea50656 Fix: Subexpression with OR instead of OR 2022-05-01 23:17:33 +02:00
Thomas Patzke 184b6bb244 Wrapping base64offset modified expansion group into ConditionOR 2022-05-01 23:07:25 +02:00
Tim Shelton eb0bcd7c9f updating hawk field translation, and bug when an author field is not present in a sig 2022-04-28 19:54:00 +00:00
secops4thewin 4442bb6982 Removed empty line 2022-04-28 13:18:11 +10:00
secops4thewin 9275d33ab2 Add timeframe to search for Devo 
Modified search to include a timeframe option.
 2022-04-28 13:14:41 +10:00
frack113 627843d73f New registry category mapping 2022-03-26 19:36:46 +01:00
frack113 33e29b55bf New registry category 2022-03-26 19:05:38 +01:00
SimSama c37ae60cff Merge branch 'master' into master 2022-03-16 16:29:34 -05:00
Florian Roth 6d6e69b672 Merge pull request #2818 from redsand/hawk_publish 
Merging latest changes for HAWK.IO
 2022-03-16 22:28:28 +01:00
Tim Shelton eefd026037 Merging latest changes for HAWK.IO 2022-03-16 20:26:49 +00:00
meiliumeiliu 37ef85ffa6 Merge pull request #1 from FortiSIEM/master 
Merge code to FortiSIEM from AccelOps
 2022-03-16 10:02:23 -07:00
Thomas Patzke dd9b41453b Fixed faulty optimization by removal 
Fixes #2806
 2022-03-15 23:55:13 +01:00
Mei Liu b85482a9bc Example: 
-O:
attackMapFile: It's used to set subFunction in XML rule. It's a map of subFunction and tags.attack in YML file.
ruleIndex: It's used to set rule id in XML rule. The format of rule id is PH_Rule_{ruleType}_SIGMA_{ruleIndex}
ruleType: It's used to set rule id in XML rule.

1. Generate rule for one YML file
    a. tools/sigmac -t fortisiem -c fortisiem-windows rules/windows/network_connection/win_net_python.yml
    b. tools/sigmac -t fortisiem -c fortisiem-windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows rules/windows/network_connection/win_net_python.yml
   Output:
      <Rules>
      <Rule group="PH_SYS_RULE_THREAT_HUNTING" natural_id="PH_Rule_Windows_SIGMA_0"  phIncidentCategory="Server" function="Security" subFunction="Discovery" technique="T1046">
         <Name>Python Initiated Connection </Name>
         <IncidentTitle>Python Initiated Connection</IncidentTitle>
         <active>true</active>
         <Description> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation </Description>
         <SigmaFileName> rules/windows/network_connection/win_net_python.yml </SigmaFileName>
         <CustomerScope groupByEachCustomer="true">
            <Include all="true"/>
           <Exclude/>
         </CustomerScope>
         <IncidentDef eventType="PH_RULE_Python_Initiated_Connection" severity="7">
           <ArgList> compEventType = Filter.eventType,hostName = Filter.hostName,isInitialed = Filter.isInitialed,procName = Filter.procName </ArgList>
         </IncidentDef>
         <PatternClause window="300">
           <SubPattern displayName="Filter" name="Filter">
               <SingleEvtConstr> eventType REGEXP ( "Win-Sysmon-3-Network-Connect.*" ) AND isInitialed="true" AND procName REGEXP ( ".*python.*" ) </SingleEvtConstr>
               <GroupByAttr> eventType,hostName,isInitialed,procName </GroupByAttr>
               <GroupEvtConstr> COUNT(*) &gt;= 1 </GroupEvtConstr>
           </SubPattern>
         </PatternClause>
         <TriggerEventDisplay>
           <AttrList> phRecvTime,hostName,isInitialed,procName,rawEventMsg </AttrList>
         </TriggerEventDisplay>
       </Rule>
       </Rules>

2. Generate rules for YML files under rules/windows
   a. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -o rule.xml
   b. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows -o rule.xml
   Generate rules for YML files under rules/windows

3. Find files that is modified after some date.
  a. tools/sigmac --lists-files-after-date 2020/06/04 rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
  b. tools/sigmac --lists-files-after-date 2020/06/04 -r rules/windows/
  Output:
     rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml, Updated
     rules/windows/wmi_event/TestFile.yml, No date
 2022-03-09 11:26:07 -08:00
Mei Liu cbda88fcbb Example: 
-O:
attackMapFile: It's used to set subFunction in XML rule. It's a map of subFunction and tags.attack in YML file.
ruleIndex: It's used to set rule id in XML rule. The format of rule id is PH_Rule_{ruleType}_SIGMA_{ruleIndex}
ruleType: It's used to set rule id in XML rule.

1. Generate rule for one YML file
    a. tools/sigmac -t fortisiem -c fortisiem-windows rules/windows/network_connection/win_net_python.yml
    b. tools/sigmac -t fortisiem -c fortisiem-windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows rules/windows/network_connection/win_net_python.yml
   Output:
      <Rules>
      <Rule group="PH_SYS_RULE_THREAT_HUNTING" natural_id="PH_Rule_Windows_SIGMA_0"  phIncidentCategory="Server" function="Security" subFunction="Discovery" technique="T1046">
         <Name>Python Initiated Connection </Name>
         <IncidentTitle>Python Initiated Connection</IncidentTitle>
         <active>true</active>
         <Description> Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation </Description>
         <SigmaFileName> rules/windows/network_connection/win_net_python.yml </SigmaFileName>
         <CustomerScope groupByEachCustomer="true">
            <Include all="true"/>
           <Exclude/>
         </CustomerScope>
         <IncidentDef eventType="PH_RULE_Python_Initiated_Connection" severity="7">
           <ArgList> compEventType = Filter.eventType,hostName = Filter.hostName,isInitialed = Filter.isInitialed,procName = Filter.procName </ArgList>
         </IncidentDef>
         <PatternClause window="300">
           <SubPattern displayName="Filter" name="Filter">
               <SingleEvtConstr> eventType REGEXP ( "Win-Sysmon-3-Network-Connect.*" ) AND isInitialed="true" AND procName REGEXP ( ".*python.*" ) </SingleEvtConstr>
               <GroupByAttr> eventType,hostName,isInitialed,procName </GroupByAttr>
               <GroupEvtConstr> COUNT(*) &gt;= 1 </GroupEvtConstr>
           </SubPattern>
         </PatternClause>
         <TriggerEventDisplay>
           <AttrList> phRecvTime,hostName,isInitialed,procName,rawEventMsg </AttrList>
         </TriggerEventDisplay>
       </Rule>
       </Rules>

2. Generate rules for YML files under rules/windows
   a. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -o rule.xml
   b. tools/sigmac -t fortisiem -c fortisiem-windows -r rules/windows -O attackMapFile=tools/config/fortisiem/MITRE-Attack-matrix.csv -O ruleIndex=0 -O ruleType=Windows -o rule.xml
   Generate rules for YML files under rules/windows

3. Find files that is modified after some date.
  a. tools/sigmac --lists-files-after-date 2020/06/04 rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml
  b. tools/sigmac --lists-files-after-date 2020/06/04 -r rules/windows/
  Output:
     rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml, Updated
     rules/windows/wmi_event/TestFile.yml, No date
 2022-03-08 17:16:08 -08:00