security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,892 Commits 1 Branch 57 Tags
39cc87033475f342b118aa4dc6f3cbee4e8e7d2c
Commit Graph

1260 Commits

Author SHA1 Message Date
Julien Doutre 39cc870334 test field mapping 2021-12-02 16:15:08 +01:00
Anna Pauxberger 181ffb1933 Remove redundant escapes 2021-12-01 16:21:06 -05:00
Anna Pauxberger 68ac5c01ef Fix DatadogLogsBackend in Tests 2021-12-01 16:20:46 -05:00
Anna Pauxberger b0fa982605 add Datadog to README 2021-12-01 16:08:39 -05:00
Anna Pauxberger e86ddc0b36 fix naming and references 2021-12-01 16:08:00 -05:00
Anna Pauxberger ab1e1c5fe0 specify datadog-logs backend 2021-12-01 15:11:51 -05:00
Julien Doutre f042480c63 Factor test query generation logic 2021-12-01 11:38:38 +01:00
Julien Doutre 4989be3923 consolidate test names 2021-12-01 11:24:57 +01:00
Julien Doutre 8bf814b3c0 Fix failing test 2021-12-01 11:10:06 +01:00
Julien Doutre c4b4703cf2 unittest assert statements 2021-12-01 11:00:27 +01:00
Anna Pauxberger 34c4f5dbb3 add tests 2021-12-01 00:28:09 -05:00
Julien Doutre fe1b4cf48a Integration test over all the rules 2021-11-30 16:10:56 +01:00
Julien Doutre 3fc0d80280 Fix config init 2021-11-29 18:08:34 +01:00
Julien Doutre b2645eb017 Handle facets and attributes 2021-11-29 17:23:23 +01:00
Julien Doutre 230705d28c Support null values 2021-11-29 16:13:23 +01:00
Julien Doutre b114c76afe Consistent regexp 2021-11-29 15:20:05 +01:00
Julien Doutre beab887ad1 Escape queries 2021-11-29 15:11:29 +01:00
Julien Doutre 34d1729c5f unset service case handling 2021-11-29 11:55:50 +01:00
Julien Doutre 5c91a1ab42 fix attribute check logic 2021-11-25 16:14:02 +01:00
Julien Doutre 0abb360f99 Support index backend option 2021-11-23 18:11:46 +01:00
Julien Doutre dca139d298 Example backend config file 2021-11-23 18:11:27 +01:00
Julien Doutre 81d3756008 Simple rules support 2021-11-23 17:51:03 +01:00
Anna Pauxberger c2b91c58d9 add datadog backend structure 2021-11-23 11:08:27 -05:00
frack113 4425f9cbcd Update sigma2attack.py 2021-11-20 19:59:57 +01:00
frack113 17296b4f5c Fix score error 2021-11-20 11:13:18 +01:00
frack113 1186982172 Add missing info 2021-11-20 10:10:17 +01:00
frack113 64d7386b9d Update and fix sigma2attack 2021-11-20 09:55:51 +01:00
redsand (Tim Shelton) bc334ab456 Hawk backend support for wildcard in middle of string (#2273) 
* updating yaml cfg for ms eventlog support

* update config and sigma backend, so that comments are not replaced, but rather the details of the record

* updating scriptblocktext to value

* adding a few missing ip address translations

* Fixing error when handling comparisons of null values, and additional fix of lack of support for not

* adding additional translations for missing category entries

* fixing error when handling list of ors with a not indicator

* finishes support for windows translations, pending qa

* adding dedupe feature and additional translation fix for dns-server

* adding image_loaded translation

* forced to pull back on the aggressive deduping, caused some inaccuracies

* adding more ux friendly formatting for regex

* adds support for wildcards in middle of strings

* adding a missing null check for supporting null matching

* adding cisco, av, and django cfg in yaml. updated apache in yaml and added another translation for ip_dport
 2021-11-18 06:29:41 +01:00
Sven Scharmentke c09b1861ec Merge branch 'SigmaHQ:master' into feature/uberagent-compat-6.2 2021-11-17 16:30:05 +01:00
Thomas Patzke ad647a6ecb Merge pull request #2240 from Entropy0/bugfix/condition-type-inheritance 
fix condition token inheritance
 2021-11-15 23:43:53 +01:00
Thomas Patzke cdaefbff69 Merge pull request #2265 from SigmaHQ/fix-ids 
Additional characters in identifier token
 2021-11-15 23:26:28 +01:00
Thomas Patzke aa47b88326 Merge pull request #2264 from roysjosh/fix-agg-ge-le 
Fix aggregation GE/LE
 2021-11-15 22:51:14 +01:00
Thomas Patzke 068255fc82 Additional characters in identifier token 2021-11-15 22:46:22 +01:00
Joshua Roys 87f919d0bc Fix aggregation GE/LE 
List longest matches first otherwise they will never match.
 2021-11-15 15:57:46 -05:00
wagga40 a8d00385c3 Fix double quotes escaping and values with commas in SQLite/SQL backends 2021-11-11 20:55:01 +01:00
frack113 8b419b8f07 Merge pull request #2247 from frack113/fix_field 
Fix rule field name
 2021-11-11 08:51:52 +01:00
redsand (Tim Shelton) a9b49679d3 Updates to hawk sigmac backend (#2244) 
Updated HAWK sigma backend
 2021-11-11 08:01:53 +01:00
ZikyHD 510da0085e Update sysmon.py (#2234) 
Update sysmon.py  and merge from master
 2021-11-10 20:43:13 +01:00
frack113 b7b1ebf772 Fix LogonId - SubjectLogonId 2021-11-10 19:12:51 +01:00
frack113 ee4082b50d Merge pull request #2242 from frack113/fix_ProcessCommandLine 
Fix process command line
 2021-11-10 08:09:06 +01:00
frack113 a089a83794 Merge pull request #2238 from frack113/fix_logsource 
Fix logsource
 2021-11-10 08:08:40 +01:00
frack113 ca17949d85 Merge pull request #2237 from frack113/m365 
standardization m365
 2021-11-10 08:08:10 +01:00
frack113 c5fa73c328 fix ProcessCommandLine to ParentCommandLine 2021-11-09 16:13:29 +01:00
Entropy0 c7259b6196 fix condition token inheritance 
Without this fix, isinstance(ConditionOR(), ConditionAND) yields True
 2021-11-09 13:19:53 +01:00
David Vassallo e1ecd379fa Update elk-winlogbeat.yml 
Adding "RelativeTargetName" since it's used by `win_lm_namedpipe.yml`
 2021-11-09 13:38:31 +02:00
frack113 6c19303aa4 normalize logsource 2021-11-09 10:48:13 +01:00
frack113 3430943746 standardization 2021-11-09 07:27:25 +01:00
Sven Scharmentke 075419da38 Initial commit of pending changes providing uberAgent 6.2 compatibilitz. 2021-11-09 03:38:12 +01:00
frack113 7f087797d6 Merge pull request #2175 from frack113/elastic_is_bad_in_regex 
manage start end regex for Elastic
 2021-11-05 12:27:18 +01:00
Jordi Schoots 23ed626287 Change location value=str(value) 2021-11-01 16:05:34 +01:00