security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
3,496 Commits 1 Branch 57 Tags
34ea706e4fe91c8a2c7ae11b953407e1dd67a319
Commit Graph

715 Commits

Author SHA1 Message Date
Florian Roth 9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
j91321 ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Thomas Patzke 0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00
Thomas Patzke 89ed9f3763 Merge pull request #819 from cclauss/patch-2 
Undefined name: from .exceptions import SigmaCollectionParseError
 2020-06-28 00:37:09 +02:00
Thomas Patzke 09378b5ebf Fixed unsupported attempt to index a set 2020-06-28 00:27:33 +02:00
Thomas Patzke 415f826ece Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop 2020-06-28 00:09:39 +02:00
Thomas Patzke b1e4f44c21 Merge pull request #823 from Kuermel/master 
Add more Options for XPackWatcherBackend (Elasticsearch)
 2020-06-28 00:03:04 +02:00
Thomas Patzke d1f37bdbd4 Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Thomas Patzke de5e453e19 Merge pull request #831 from 404d/cbr-backend-tweaks 
Add parentheses around field list groups in CB
 2020-06-27 23:39:57 +02:00
Florian Roth da46ff6e93 docs: descriptions for source configs 2020-06-25 13:59:51 +02:00
Florian Roth 825bda397d desc: better descriptions in help for backends and configurations 2020-06-25 13:21:43 +02:00
Florian Roth 07c0a6558e fix: wording on sysmon mapping file 2020-06-24 17:49:42 +02:00
Florian Roth f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Brad Kish 203aa192c7 Fix multiple references to default field mapping in same rule 
If there is a default mapping specified for a fieldmapping and that field is
referenced multiple times in the rule, the default mapping will be "pop"ped
and return the unmapped key on subsequent uses.

Don't pop the value. Just return the first entry.
 2020-06-18 13:01:31 -04:00
Florian Roth d371fd864c Merge pull request #834 from ebeahan/elastic-updates 
Elastic section updates
 2020-06-13 10:04:49 +02:00
Thomas Patzke f907c49ab5 Improved test coverage 
* Added test case
* Removed unused code
 2020-06-13 01:11:08 +02:00
Thomas Patzke b129556388 Automatic inclusion of all configuration files 2020-06-13 00:04:45 +02:00
Thomas Patzke 80e8f0e5fa Release 0.17.0 2020-06-12 23:52:06 +02:00
Thomas Patzke 24d83b80cd Merge branch 'script_entry_points' 2020-06-12 23:13:11 +02:00
Eric Beahan bba0b2d851 Elastic documentation improvements 2020-06-12 13:40:39 -05:00
Nate Guagenti aac1af1832 typo, was missing the = and *. 
also, show option when using case insensitive for everything, how to "exclude" a field from that regex.

Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-06-12 11:37:32 -04:00
Simen Lybekk bbcbed4742 Add parentheses about field list groups in CB 
This should address the grouping issue from #660.
The grouping issue was solved by just slamming some parentheses around the fields in the listExpression field.
 2020-06-11 15:33:02 +02:00
Steven Goossens 423baafa2a Added rules for different sysmon categories and added the category definition 2020-06-10 15:02:15 +02:00
Thomas Patzke 915ea1cc67 Merge branch 'script_entry_points' into master 2020-06-10 00:51:47 +02:00
Florian Roth 565febd39d README updated 2020-06-09 23:25:09 +02:00
Nate Guagenti f4fe425fa7 update readme for some analyzed field and keyword field examples 2020-06-09 16:53:50 -04:00
Thomas G 8c61dc9248 Add more Options for XPackWatcherBackend (Elasticsearch) 
Add action_throttle_period, mail_from adn mail_profile to the XPackWatcherBackend (Elasticsearch)
 2020-06-09 20:57:26 +02:00
Nate Guagenti 117ceac492 moved file to ecs-zeek-elastic-beats-implementation.yml 2020-06-09 08:56:01 -04:00
Christian Clauss dff7efc173 Update collection.py 2020-06-08 13:55:52 +02:00
Christian Clauss 55c0a03564 Undefined name: from .exceptions import SigmaCollectionParseError 
Discovered in #378.  `SigmaCollectionParseError()` is called on line 55 but it is never defined or imported which means that NameError will be raised instead of SigmaCollectionParseError.
 2020-06-08 13:55:16 +02:00
Florian Roth 94b90adf10 docs: move Sigmac help from Wiki to repo 2020-06-07 12:18:37 +02:00
Thomas Patzke 36a7077648 Moved tool executables to new location 2020-06-07 01:14:04 +02:00
Thomas Patzke a7d18c7ed9 Converted sigma2attack and added to entry points 2020-06-07 01:03:09 +02:00
Thomas Patzke 8688e8a2a1 Script entrypoint stubs 2020-06-07 00:22:59 +02:00
Thomas Patzke 7d70cd95a4 Deduplicated backend list 2020-06-06 01:03:02 +02:00
Thomas Patzke fb9855bd3b Added description to es-rule backend 2020-06-06 01:02:44 +02:00
Thomas Patzke 1d211565fc Moved backend options list to --backend-help 2020-06-06 00:56:00 +02:00
Thomas Patzke c992dc5215 Improved test coverage 2020-06-05 23:33:51 +02:00
Thomas Patzke 5d88d97c73 Merge branch 'improvements/improved_mdatp_mappings' of https://github.com/wietze/sigma into wietze-improvements/improved_mdatp_mappings 2020-06-05 23:03:52 +02:00
Jonas Plum 3a6ac5bd5c Remove unused function 2020-05-30 01:57:06 +02:00
Jonas Plum 70935d26ce Add license header 2020-05-29 23:56:05 +02:00
Jonas Hagg dedfb65d63 Implemented Aggregation for SQL, Added SQLite FullTextSearch 2020-05-25 11:58:55 +02:00
Thomas Patzke daf7ab5ff7 Cleanup: removal of corelight_* backends 2020-05-24 22:41:38 +02:00
Thomas Patzke d45f8e19fe Fixes 2020-05-24 21:46:55 +02:00
Thomas Patzke 32e4998c49 Removed dead code from ALA backend. 2020-05-24 21:45:37 +02:00
Thomas Patzke 24b08bbf30 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 17:06:32 +02:00
Thomas Patzke 8d9b706d6a Merge pull request #727 from 3CORESec/master 
Override Features
 2020-05-20 19:11:56 +02:00
vh e8b956f575 Updated config 2020-05-20 12:35:00 +03:00
neu5ron 9e272d37b7 zeek category update and minor field updates 2020-05-19 05:02:45 -04:00
neu5ron 177f0a783b winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00