security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,584 Commits 1 Branch 57 Tags
80098113d06750ddb9ab275d7df1049f88d4ea7c
Commit Graph

1461 Commits

Author SHA1 Message Date
phantinuss 119cfe9558 fix: missing WinEventLog prefix for splunk/thor logsources 2022-08-23 11:50:15 +02:00
Wagga 03a6a5b48b Update Sqlite backend to handle null values 2022-08-20 12:23:00 +02:00
Florian Roth fbc7519b94 Merge pull request #3385 from nasbench/nasbench-rule-devel 
Update Sysmon Config
 2022-08-17 09:29:54 +02:00
frack113 4abd506a4c Merge pull request #3387 from redsand/backend_hawk_config_update_before_pysigma_migration 
Backend: hawk. last update to config until pySigma migration (hopefully)
 2022-08-16 22:13:29 +02:00
Tim Shelton 726406f64d Backend: hawk. last udpate to config until pySigma migration (hopefully) 2022-08-16 19:58:16 +00:00
Nasreddine Bencherchali f37fd2375b Update config 2022-08-16 20:18:46 +01:00
Nasreddine Bencherchali d5133bcdd7 Update Sysmon 2022-08-16 19:47:44 +01:00
Nasreddine Bencherchali 6407089a40 Change service to diagnosis scripted 2022-08-15 12:45:12 +01:00
Nasreddine Bencherchali d09037c9ad Add 2 New EventLog Sources 
- Microsoft-Windows-Shell-Core/Operational
- Microsoft-Windows-Diagnosis-Scripted/Operational
 2022-08-14 21:38:36 +01:00
Wagga ac203f99b5 Restore ruamel in sigmac to allow output in YAML 
This commit definitely fix the #3337 issue. The commit #3349 restored the commented lines but the ruamel import was not in it.
 2022-08-10 11:42:27 +02:00
frack113 b13c37ad75 Fix issue 3337 2022-08-10 07:42:50 +02:00
Florian Roth 8041ab5130 Merge pull request #3325 from nasbench/nasbench-rule-devel 
Update+New Rules
 2022-08-05 23:42:09 +02:00
Nasreddine Bencherchali f2bec5c6af Update provider + rules 2022-08-04 21:58:07 +01:00
Nasreddine Bencherchali a073590c2f Add Security-Mitigations-User Mode log 2022-08-04 13:44:55 +01:00
Phrozyn b9e78e4656 mitre_update: updates resulting json to current state 2022-08-03 14:05:34 -05:00
Florian Roth 3f402e3007 Merge pull request #3304 from d4rk-d4nph3/master 
Added rule for Defender DLL sideloading
 2022-08-03 10:46:37 +02:00
frack113 41bbb39f99 Merge pull request #3317 from redsand/backend_hawk_http_path_resolve 
Backend: adjusting http_path to match, along with expanding event_cha…
 2022-08-03 06:30:25 +02:00
Tim Shelton 5f0347d94d Backend: adjusting http_path to match, along with expanding event_channel, since channel key has collisions 2022-08-02 23:39:49 +00:00
Florian Roth 87a0c9e1b9 Merge branch 'master' into master 2022-08-02 18:10:24 +02:00
Florian Roth afa0d77025 refactor: adding new channel to all backends 2022-08-02 18:08:29 +02:00
Bhabesh 4bbc1bc119 Support for Security-Mitigations provider 2022-08-02 13:32:22 +05:45
Rachel Rice d47f32cb0f chore: Remove DEFAULT_EVAL_FREQUENCY global 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-08-01 16:26:58 +01:00
Rachel Rice 197953e816 chore: Remove evalFrequency from Lacework backend 
evalFrequency has been deprecated; it is no longer required for policies.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-08-01 16:12:13 +01:00
Tim Shelton b39ec30d06 Backend: hawk update to support boolean comparison values and some column translation updates 2022-07-29 13:56:15 +00:00
markoverholser 381c26fd94 Fix issue with using source: on Zeek files log 
Line 407 was `source: id.orig_h` so that people could use the word `source` as an alias to `id.orig_h`, however there is a literal field with the name `source` in the `files.log` for Zeek, so having a Sigma query with something like `source: 'SMTP'` would yield `id.orig_h='SMTP'` in the resulting Splunk translation, which is incorrect. It should be `source='SMTP'`

Commenting out line 407 fixes this.
 2022-07-19 15:16:20 -05:00
akshay-chaturvedi 4625d8fb6c Merge branch 'SigmaHQ:master' into dnif-backend 2022-07-13 17:30:17 +05:30
Florian Roth d15f3d738b Merge pull request #3207 from SigmaHQ/rule-devel 
fix: missing Windows Defender source, rule: Proxy UA Base64
 2022-07-08 11:14:00 +02:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Florian Roth 955b3dc66b fix: missing Defender eventlog in splunk config 2022-07-06 12:41:34 +02:00
akshay.chaturvedi 8ff679a42d update test and readme 2022-06-30 18:41:56 +05:30
akshay.chaturvedi b80448a0e7 added new backend for DNIF queries 2022-06-30 13:03:54 +05:30
Alexander McDonald 1249675bcd Adding a mapping check to escape slashes in KQL 2022-06-18 09:02:21 -04:00
ChiYang Tsai 32b4a836b8 using deepcopy to clone previous rule 2022-06-16 12:19:14 +08:00
frack113 227eefc985 Merge pull request #3128 from f-block/patch-2 
ProviderName seems to be wrong
 2022-06-14 20:58:11 +02:00
Frank Block e10a9f0257 Re-added powershell related "ProviderName" mapping 2022-06-14 20:48:36 +02:00
Frank Block 1e0a9fd8c1 Mapping name "Provider_Name" instead of "ProviderName" 
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).

Instead, the identifier `Provider_Name` is used.
 2022-06-14 18:17:35 +02:00
Frank Block 06234d831d ProviderName seems to be wrong 
`ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.
 2022-06-14 17:45:36 +02:00
Frank Block b6ecf5cffd Fixes typo for TargetServerName mapping 2022-06-14 17:40:33 +02:00
frack113 6bd09ec054 Merge pull request #3114 from hazedav/self-join-filter 
feat(backend): support for parent process filters
 2022-06-09 08:16:13 +02:00
David Hazekamp c1b5551486 feat(backend): bump lacework config version 2022-06-08 23:41:54 -05:00
David Hazekamp fea9602210 feat(backend): support for parent process filters 2022-06-08 23:39:32 -05:00
Tim Shelton 4d7d0b3235 backend - updating hawk backend with additional translations 2022-06-08 19:04:37 +00:00
David Hazekamp 323298ba91 fix(backend): use subexp when OR list items 2022-06-03 14:54:35 -05:00
Maxime Lamothe-Brassard 3fdaf8b9f1 Support alternate case for OriginalFileName. 2022-05-27 11:01:22 -07:00
Florian Roth 662c13a720 Merge pull request #3035 from redsand/hawk_backend_cfg_update 
Backend: adding additional entries to hawk.yml
 2022-05-24 12:33:11 +02:00
Tim Shelton b339901806 Backend: because hawk splits up SYSTEM and NT AUTHORITY, additional treatment is needed on some rules 2022-05-23 23:52:52 +00:00
Tim Shelton 6ca03d741b adding additional file hash column translation 2022-05-23 21:11:34 +00:00
Tim Shelton 605a0bc678 Backend: adding additional entries to hawk.yml 2022-05-23 18:46:50 +00:00
tr0mb1r ab7d7dbed8 Update sysmon.yml 
typo in config
 2022-05-20 13:47:18 +04:00
Thomas Patzke 01ffec65fe Merge pull request #2994 from ablescia/feat-hedera_backend 
Hedera Backend - C# dynamic LINQ
 2022-05-18 23:23:51 +02:00