security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,069 Commits 1 Branch 57 Tags
751fbd7a2e4f8375d6ec517ceeb4e08f62016e31
Commit Graph

1447 Commits

Author SHA1 Message Date
Nasreddine Bencherchali a073590c2f Add Security-Mitigations-User Mode log 2022-08-04 13:44:55 +01:00
Florian Roth 3f402e3007 Merge pull request #3304 from d4rk-d4nph3/master 
Added rule for Defender DLL sideloading
 2022-08-03 10:46:37 +02:00
frack113 41bbb39f99 Merge pull request #3317 from redsand/backend_hawk_http_path_resolve 
Backend: adjusting http_path to match, along with expanding event_cha…
 2022-08-03 06:30:25 +02:00
Tim Shelton 5f0347d94d Backend: adjusting http_path to match, along with expanding event_channel, since channel key has collisions 2022-08-02 23:39:49 +00:00
Florian Roth 87a0c9e1b9 Merge branch 'master' into master 2022-08-02 18:10:24 +02:00
Florian Roth afa0d77025 refactor: adding new channel to all backends 2022-08-02 18:08:29 +02:00
Bhabesh 4bbc1bc119 Support for Security-Mitigations provider 2022-08-02 13:32:22 +05:45
Rachel Rice d47f32cb0f chore: Remove DEFAULT_EVAL_FREQUENCY global 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-08-01 16:26:58 +01:00
Rachel Rice 197953e816 chore: Remove evalFrequency from Lacework backend 
evalFrequency has been deprecated; it is no longer required for policies.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-08-01 16:12:13 +01:00
Tim Shelton b39ec30d06 Backend: hawk update to support boolean comparison values and some column translation updates 2022-07-29 13:56:15 +00:00
markoverholser 381c26fd94 Fix issue with using source: on Zeek files log 
Line 407 was `source: id.orig_h` so that people could use the word `source` as an alias to `id.orig_h`, however there is a literal field with the name `source` in the `files.log` for Zeek, so having a Sigma query with something like `source: 'SMTP'` would yield `id.orig_h='SMTP'` in the resulting Splunk translation, which is incorrect. It should be `source='SMTP'`

Commenting out line 407 fixes this.
 2022-07-19 15:16:20 -05:00
akshay-chaturvedi 4625d8fb6c Merge branch 'SigmaHQ:master' into dnif-backend 2022-07-13 17:30:17 +05:30
Florian Roth d15f3d738b Merge pull request #3207 from SigmaHQ/rule-devel 
fix: missing Windows Defender source, rule: Proxy UA Base64
 2022-07-08 11:14:00 +02:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth 955b3dc66b fix: missing Defender eventlog in splunk config 2022-07-06 12:41:34 +02:00
akshay.chaturvedi 8ff679a42d update test and readme 2022-06-30 18:41:56 +05:30
akshay.chaturvedi b80448a0e7 added new backend for DNIF queries 2022-06-30 13:03:54 +05:30
Alexander McDonald 1249675bcd Adding a mapping check to escape slashes in KQL 2022-06-18 09:02:21 -04:00
ChiYang Tsai 32b4a836b8 using deepcopy to clone previous rule 2022-06-16 12:19:14 +08:00
frack113 227eefc985 Merge pull request #3128 from f-block/patch-2 
ProviderName seems to be wrong
 2022-06-14 20:58:11 +02:00
Frank Block e10a9f0257 Re-added powershell related "ProviderName" mapping 2022-06-14 20:48:36 +02:00
Frank Block 1e0a9fd8c1 Mapping name "Provider_Name" instead of "ProviderName" 
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).

Instead, the identifier `Provider_Name` is used.
 2022-06-14 18:17:35 +02:00
Frank Block 06234d831d ProviderName seems to be wrong 
`ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.
 2022-06-14 17:45:36 +02:00
Frank Block b6ecf5cffd Fixes typo for TargetServerName mapping 2022-06-14 17:40:33 +02:00
frack113 6bd09ec054 Merge pull request #3114 from hazedav/self-join-filter 
feat(backend): support for parent process filters
 2022-06-09 08:16:13 +02:00
David Hazekamp c1b5551486 feat(backend): bump lacework config version 2022-06-08 23:41:54 -05:00
David Hazekamp fea9602210 feat(backend): support for parent process filters 2022-06-08 23:39:32 -05:00
Tim Shelton 4d7d0b3235 backend - updating hawk backend with additional translations 2022-06-08 19:04:37 +00:00
David Hazekamp 323298ba91 fix(backend): use subexp when OR list items 2022-06-03 14:54:35 -05:00
Maxime Lamothe-Brassard 3fdaf8b9f1 Support alternate case for OriginalFileName. 2022-05-27 11:01:22 -07:00
Florian Roth 662c13a720 Merge pull request #3035 from redsand/hawk_backend_cfg_update 
Backend: adding additional entries to hawk.yml
 2022-05-24 12:33:11 +02:00
Tim Shelton b339901806 Backend: because hawk splits up SYSTEM and NT AUTHORITY, additional treatment is needed on some rules 2022-05-23 23:52:52 +00:00
Tim Shelton 6ca03d741b adding additional file hash column translation 2022-05-23 21:11:34 +00:00
Tim Shelton 605a0bc678 Backend: adding additional entries to hawk.yml 2022-05-23 18:46:50 +00:00
tr0mb1r ab7d7dbed8 Update sysmon.yml 
typo in config
 2022-05-20 13:47:18 +04:00
Thomas Patzke 01ffec65fe Merge pull request #2994 from ablescia/feat-hedera_backend 
Hedera Backend - C# dynamic LINQ
 2022-05-18 23:23:51 +02:00
Tim Shelton 232fd9ad17 removing duplicate 2022-05-10 13:19:22 +00:00
Tim Shelton ad727e11e9 adding additional zeek categories to sort out false positive matching 2022-05-10 03:39:16 +00:00
Tim Shelton c64197233d fixing error in translation 2022-05-10 02:19:23 +00:00
Tim Shelton 50a4a02364 adding additional field with ip_src as initial cardinal 2022-05-10 01:51:37 +00:00
Tim Shelton 8674e26218 adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example 2022-05-10 01:50:46 +00:00
Tim Shelton 278e825794 fixing hawk backend fields for zeek. wrong character 2022-05-10 01:45:17 +00:00
Tim Shelton 0709758651 Adding updates for zeek, as well as some missing sections for windows. internal review of rules will continue. 2022-05-09 23:23:35 +00:00
Tim Shelton 6aa0064c28 adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples 2022-05-09 23:23:07 +00:00
Antonio Blescia feca339bfc created hedera backend file 2022-05-08 15:59:14 +02:00
Tim Shelton bd51eb4c72 adding additional filter for string 2022-05-04 15:27:23 +00:00
Tim Shelton ad003de3fb Fixing mismatch of sigs when using system/app/security and additional matching against provider name 2022-05-04 14:58:02 +00:00
tungnd27 9d7a7f7896 Add StreamAlert backend 2022-05-03 17:32:19 +07:00
Tim Shelton 102a45a215 adding support for terminal services-localsessionmanager 2022-04-29 14:29:05 +00:00
Florian Roth f695443c4c Merge pull request #2969 from SigmaHQ/new-source-terminalservices 
New source terminalservices
 2022-04-29 13:25:12 +02:00