security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,958 Commits 1 Branch 57 Tags
5e5576a91bdc1930440175e1908b31bedf2ee093
Commit Graph

446 Commits

Author SHA1 Message Date
Florian Roth d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Thomas Patzke 378d9c94cf Merge branch 'master' of https://github.com/socprime/sigma into pr-981 2020-09-15 12:14:49 +02:00
snake-jump 5119f887c8 add Regular expression support 
Add Regular expression support for netwitness-epl backend
 2020-09-14 22:04:47 +02:00
snake-jump 531557465c delete raise exception in case of sigma key is keyword(s) 2020-09-14 16:00:03 +02:00
snake-jump 09f25cf992 delete sqlparse module usage 2020-09-10 19:05:55 +02:00
snake-jump e74846b767 modify comment 2020-09-10 18:09:15 +02:00
snake-jump 64035fd799 initial commit for Netwitness-EPL backend 2020-09-10 17:12:12 +02:00
vh a2fec9f3b9 Fix sysmon backend 2020-08-28 12:26:40 +03:00
Nate Guagenti f21b3c50c6 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:13:18 -04:00
Nate Guagenti a7ffb96b6b elasticsearch regex escape of '.' for case insensitivity backend options 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:10:25 -04:00
Nate Guagenti 76910eaee4 fix sub field name usage if there are 3 or more fields.. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:57 -04:00
Nate Guagenti 0d713e4544 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:33 -04:00
tung12 1921e9dd89 Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00
SOC Prime d3ba1e4fb8 Add sysmon backend 2020-08-18 11:20:22 +03:00
Thomas Patzke 01125ffd3b Fixed: Elastalert backend handling of conditional field mappings 2020-08-11 23:29:18 +02:00
bar 8352eefe22 STIX Support keywords (value without field) 2020-07-28 18:52:02 +03:00
bar 32cf352236 Merge remote-tracking branch 'upstream/master' 2020-07-26 14:56:06 +03:00
Thomas Patzke dcb07bab2f Merge pull request #949 from 0xballistics/powershell_backend_fix 
partial(?) fix of #762
 2020-07-25 10:18:05 +02:00
Simran Soin c329f6412d Fix bug with NOT handling 2020-07-23 11:47:55 -04:00
Simran Soin 6c7b4cf408 Revert additional change in base.py 2020-07-23 10:47:22 -04:00
Simran Soin ef9af3730a Remove unnecessary edits from qradar.py 2020-07-23 10:34:29 -04:00
Simran Soin 0e49a6acdf Default NOT to false for all functions 2020-07-23 10:18:16 -04:00
Simran Soin 0fac21f4a3 Remove modifications from base file and override in stix.py 2020-07-23 10:13:30 -04:00
Simran Soin 30ff22776a Fix NOT bug 2020-07-23 09:41:33 -04:00
David Straßegger 875360f373 fixed wrong function call for elastalert aggregation. fixes #940 2020-07-20 14:32:30 +02:00
Aidan Bracher e0476d5ce6 Merge branch 'master' of git://github.com/Neo23x0/sigma 2020-07-15 16:35:29 +01:00
Aidan Bracher 1e5ee5823c Fix for indentation issue 
Wrong indentation of line 182 meant that even where config options
were given, the default per backend was being used, rendering
custom config useless.
 2020-07-15 16:29:27 +01:00
bar 50ef79b398 Custom STIX object "x-sigma" for fields that missing mapping, so the pattern is STIX valid 2020-07-08 14:09:26 +03:00
Thomas Patzke 9bcff522b6 Merge branch 'master' of https://github.com/rashimo/sigma into pr-709 2020-07-07 23:12:03 +02:00
bar acbab2db4b stix backend + mapping configurations for windows logs and qradar 2020-07-07 15:04:16 +03:00
Thomas Patzke 57cb255208 Merge pull request #864 from cclauss/patch-3 
Fix undefined names in sigma2misp.py
 2020-07-05 23:16:22 +02:00
Chris Brake 6ed1ea6509 Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType 2020-06-30 14:49:29 +01:00
Christian Clauss 9dc3940c07 Fix undefined names in sigma2misp.py 
create_new_event() -> create_new_event(args, misp) to fix:

flake8 testing of https://github.com/Neo23x0/sigma on Python 3.8.3

% _flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics_
```
./tools/sigma/sigma2misp.py:11:16: F821 undefined name 'misp'
    if hasattr(misp, "new_event"):
               ^
./tools/sigma/sigma2misp.py:12:16: F821 undefined name 'misp'
        return misp.new_event(info=args.info)["Event"]["id"]
               ^
./tools/sigma/sigma2misp.py:12:36: F821 undefined name 'args'
        return misp.new_event(info=args.info)["Event"]["id"]
                                   ^
./tools/sigma/sigma2misp.py:14:13: F821 undefined name 'misp'
    event = misp.MISPEvent()
            ^
./tools/sigma/sigma2misp.py:15:18: F821 undefined name 'args'
    event.info = args.info
                 ^
./tools/sigma/sigma2misp.py:16:12: F821 undefined name 'misp'
    return misp.add_event(event)["Event"]["id"]
           ^
6     F821 undefined name 'misp'
6
```
 2020-06-28 07:02:41 +02:00
Thomas Patzke 0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00
Thomas Patzke 89ed9f3763 Merge pull request #819 from cclauss/patch-2 
Undefined name: from .exceptions import SigmaCollectionParseError
 2020-06-28 00:37:09 +02:00
Thomas Patzke 09378b5ebf Fixed unsupported attempt to index a set 2020-06-28 00:27:33 +02:00
Thomas Patzke 415f826ece Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop 2020-06-28 00:09:39 +02:00
Thomas Patzke b1e4f44c21 Merge pull request #823 from Kuermel/master 
Add more Options for XPackWatcherBackend (Elasticsearch)
 2020-06-28 00:03:04 +02:00
Thomas Patzke de5e453e19 Merge pull request #831 from 404d/cbr-backend-tweaks 
Add parentheses around field list groups in CB
 2020-06-27 23:39:57 +02:00
Florian Roth 825bda397d desc: better descriptions in help for backends and configurations 2020-06-25 13:21:43 +02:00
Brad Kish 203aa192c7 Fix multiple references to default field mapping in same rule 
If there is a default mapping specified for a fieldmapping and that field is
referenced multiple times in the rule, the default mapping will be "pop"ped
and return the unmapped key on subsequent uses.

Don't pop the value. Just return the first entry.
 2020-06-18 13:01:31 -04:00
Thomas Patzke f907c49ab5 Improved test coverage 
* Added test case
* Removed unused code
 2020-06-13 01:11:08 +02:00
Simen Lybekk bbcbed4742 Add parentheses about field list groups in CB 
This should address the grouping issue from #660.
The grouping issue was solved by just slamming some parentheses around the fields in the listExpression field.
 2020-06-11 15:33:02 +02:00
Thomas Patzke 915ea1cc67 Merge branch 'script_entry_points' into master 2020-06-10 00:51:47 +02:00
Thomas G 8c61dc9248 Add more Options for XPackWatcherBackend (Elasticsearch) 
Add action_throttle_period, mail_from adn mail_profile to the XPackWatcherBackend (Elasticsearch)
 2020-06-09 20:57:26 +02:00
Christian Clauss dff7efc173 Update collection.py 2020-06-08 13:55:52 +02:00
Christian Clauss 55c0a03564 Undefined name: from .exceptions import SigmaCollectionParseError 
Discovered in #378.  `SigmaCollectionParseError()` is called on line 55 but it is never defined or imported which means that NameError will be raised instead of SigmaCollectionParseError.
 2020-06-08 13:55:16 +02:00
Thomas Patzke 36a7077648 Moved tool executables to new location 2020-06-07 01:14:04 +02:00
Thomas Patzke a7d18c7ed9 Converted sigma2attack and added to entry points 2020-06-07 01:03:09 +02:00
Thomas Patzke 7d70cd95a4 Deduplicated backend list 2020-06-06 01:03:02 +02:00