security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,224 Commits 1 Branch 57 Tags
4989d43ae97015f8113aed2efcd49d288b8fec21
Commit Graph

68 Commits

Author SHA1 Message Date
Nick Moore 97034d23b6 Merge PR #4899 from @kelnage - Add Kubernetes rules in audit log format 
new: Kubernetes Admission Controller Modification
new: Kubernetes CronJob/Job Modification
new: Kubernetes Rolebinding Modification
new: Kubernetes Secrets Modified or Deleted
new: Kubernetes Unauthorized or Unauthenticated Access 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-07-11 16:09:01 +02:00
Ryan Plas 1d40f1d20b Merge PR #4893 from @ryanplasma - Update Microsoft references URLS 
chore: update Microsoft references link to use the "learn" subdomain instead of "docs". 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
 2024-07-02 12:00:11 +02:00
Leo Tsaousis 0d63f52ff5 Merge PR #4694 from @LAripping - Add native Kubernetes detections 
new: Container With A hostPath Mount Created
new: Creation Of Pod In System Namespace
new: Deployment Deleted From Kubernetes Cluster
new: Kubernetes Events Deleted
new: Kubernetes Secrets Enumeration
new: New Kubernetes Service Account Created
new: Potential Remote Command Execution In Pod Container
new: Potential Sidecar Injection Into Running Deployment
new: Privileged Container Deployed
new: RBAC Permission Enumeration Attempt 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-26 18:26:46 +01:00
Josh Brower eac04262c2 Merge PR #4695 from @defensivedepth - Add new rules based on OpenCanary tooling 
new: OpenCanary - FTP Login Attempt
new: OpenCanary - GIT Clone Request
new: OpenCanary - HTTP GET Request
new: OpenCanary - HTTP POST Login Attempt
new: OpenCanary - HTTPPROXY Login Attempt
new: OpenCanary - MSSQL Login Attempt Via SQLAuth
new: OpenCanary - MSSQL Login Attempt Via Windows Authentication
new: OpenCanary - MySQL Login Attempt
new: OpenCanary - NTP Monlist Request
new: OpenCanary - REDIS Action Command Attempt
new: OpenCanary - SIP Request
new: OpenCanary - SMB File Open Request
new: OpenCanary - SNMP OID Request
new: OpenCanary - SSH Login Attempt
new: OpenCanary - SSH New Connection Attempt
new: OpenCanary - Telnet Login Attempt
new: OpenCanary - TFTP Request
new: OpenCanary - VNC Connection Attempt 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-08 16:24:19 +01:00
github-actions[bot] c3fe2da997 chore: promote older rules status from experimental to test (#4651) 
Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-01-01 09:00:51 +01:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Ryan Plas cda0fbff62 fix:F multiple 404 links in references (#4332) 2023-06-26 10:10:04 +01:00
Ryan Plas 563f5ce090 Fix Zero Networks Blog 404s 2023-06-22 17:16:46 -04:00
Tess 107629758d remove duplicate reference urls 2023-04-18 11:03:07 -04:00
Wagga cbc9a10eba Update java_xxe_exploitation_attempt.yml 2023-02-20 14:08:28 +01:00
Moti-H ff4242dadd feat: add new application vulnerability rules (#4034) 2023-02-15 12:29:53 +01:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
frack113 cb67871bd2 Revert "Change status of old rules" 2023-01-26 19:37:18 +01:00
frack113 5323fd4baa Change status of old rules 2023-01-25 18:41:18 +01:00
Nasreddine Bencherchali 15757c2b7d fix: remove tactic links 2023-01-10 19:20:31 +01:00
frack113 486ee8f435 Apply suggestions from code review 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-01-10 19:13:38 +01:00
frack113 4023bf2c83 Remove mitre url 2023-01-10 18:09:04 +01:00
frack113 f9e1419760 Order file 2023-01-10 06:24:48 +01:00
frack113 e1707c8f50 rewrite issue 1555 (#3818) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 19:28:34 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
Nasreddine Bencherchali 80ef3b70dc fix: broken single item lists 2022-12-08 16:23:58 +01:00
Florian Roth 18a44625fc Merge pull request #3702 from nasbench/nasbench-rule-devel 
fix: fix issues and deprecate rule
 2022-11-17 14:49:43 +01:00
Nasreddine Bencherchali ef91852c44 fix: update modified date 2022-11-17 10:15:58 +01:00
Nasreddine Bencherchali b03ccf6844 fix: fix #3699 2022-11-16 23:41:16 +01:00
Florian Roth eefa2da8b4 Merge pull request #3700 from jstnk9/master 
Update rpc_firewall_eventlog_recon.yml
 2022-11-16 08:55:49 +01:00
jstnk9 9ec8d40b42 Update rpc_firewall_eventlog_recon.yml 
removed duplicated ref
 2022-11-15 21:58:53 +01:00
frack113 7b55972146 Order yaml field 2022-10-25 06:48:55 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth f728893364 refactor: rule level adjustments - critical to high 2022-06-18 17:43:22 +02:00
frack113 c79fd95f66 refactor condition 2022-06-03 15:39:41 +02:00
frack113 8de0027ca3 refactor condition 2022-06-03 15:35:24 +02:00
Florian Roth 2a11e5bafa refactor: rule addition 2022-05-12 18:10:06 +02:00
Florian Roth 1b9ce19b2c fix: several issues 2022-05-12 17:30:30 +02:00
Florian Roth 2cd5a93fb6 refactor: update antivirus rules 2022-05-12 17:19:46 +02:00
Florian Roth 0dfd802579 Merge pull request #2837 from SigmaHQ/log-source-cleanup 
Log source cleanup
 2022-03-24 21:26:46 +01:00
Florian Roth 213f7fff5c refactor: make antivirus a category 2022-03-24 11:59:33 +01:00
Tim Shelton 6ab396fd66 FP another variation of symantec submitting file for analysis, reduced words to catch both 2022-03-22 21:43:33 +00:00
Florian Roth e3839ac282 removed: overlapping, unharmonised rule 
already covered in 04f5363a-6bca-42ff-be70-0d28bf629ead
 2022-03-22 09:58:29 +01:00
frack113 becf3baeb4 Merge pull request #2813 from phantinuss/master 
Changes to falsepositives metadata
 2022-03-17 14:31:27 +01:00
Tim Shelton c58f3d0351 Filtering of symantec submission for analysis 2022-03-16 19:07:15 +00:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 4585133325 fix: remove penetration testing as a valid false positive 2022-03-16 13:51:26 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
markus-nclose 4c2a3c3036 CobaltStrike typo 
This typo keeps sneaking back in - critical for detection. 
Spelling correct according to https://www.nextron-systems.com/wp-content/uploads/2018/09/Antivirus_Event_Analysis_CheatSheet_1.5-2.pdf
 2022-02-02 07:31:48 +02:00
frack113 43690233fb Merge pull request #2572 from zeronetworks/master 
feat(rules): Adding rules for the rpc_firewall
 2022-01-24 18:18:22 +01:00
sagiezero 83afc12875 fix(rules): changed "product" and "service" to suggested values. 2022-01-23 09:44:24 +02:00
frack113 eb22807ddc Order rules 2022-01-20 22:06:55 +01:00