security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,584 Commits 1 Branch 57 Tags
80098113d06750ddb9ab275d7df1049f88d4ea7c
Commit Graph

471 Commits

Author SHA1 Message Date
phantinuss 119cfe9558 fix: missing WinEventLog prefix for splunk/thor logsources 2022-08-23 11:50:15 +02:00
Florian Roth fbc7519b94 Merge pull request #3385 from nasbench/nasbench-rule-devel 
Update Sysmon Config
 2022-08-17 09:29:54 +02:00
frack113 4abd506a4c Merge pull request #3387 from redsand/backend_hawk_config_update_before_pysigma_migration 
Backend: hawk. last update to config until pySigma migration (hopefully)
 2022-08-16 22:13:29 +02:00
Tim Shelton 726406f64d Backend: hawk. last udpate to config until pySigma migration (hopefully) 2022-08-16 19:58:16 +00:00
Nasreddine Bencherchali f37fd2375b Update config 2022-08-16 20:18:46 +01:00
Nasreddine Bencherchali d5133bcdd7 Update Sysmon 2022-08-16 19:47:44 +01:00
Nasreddine Bencherchali 6407089a40 Change service to diagnosis scripted 2022-08-15 12:45:12 +01:00
Nasreddine Bencherchali d09037c9ad Add 2 New EventLog Sources 
- Microsoft-Windows-Shell-Core/Operational
- Microsoft-Windows-Diagnosis-Scripted/Operational
 2022-08-14 21:38:36 +01:00
Florian Roth 8041ab5130 Merge pull request #3325 from nasbench/nasbench-rule-devel 
Update+New Rules
 2022-08-05 23:42:09 +02:00
Nasreddine Bencherchali f2bec5c6af Update provider + rules 2022-08-04 21:58:07 +01:00
Nasreddine Bencherchali a073590c2f Add Security-Mitigations-User Mode log 2022-08-04 13:44:55 +01:00
Phrozyn b9e78e4656 mitre_update: updates resulting json to current state 2022-08-03 14:05:34 -05:00
Florian Roth 3f402e3007 Merge pull request #3304 from d4rk-d4nph3/master 
Added rule for Defender DLL sideloading
 2022-08-03 10:46:37 +02:00
Tim Shelton 5f0347d94d Backend: adjusting http_path to match, along with expanding event_channel, since channel key has collisions 2022-08-02 23:39:49 +00:00
Florian Roth 87a0c9e1b9 Merge branch 'master' into master 2022-08-02 18:10:24 +02:00
Florian Roth afa0d77025 refactor: adding new channel to all backends 2022-08-02 18:08:29 +02:00
Bhabesh 4bbc1bc119 Support for Security-Mitigations provider 2022-08-02 13:32:22 +05:45
Tim Shelton b39ec30d06 Backend: hawk update to support boolean comparison values and some column translation updates 2022-07-29 13:56:15 +00:00
markoverholser 381c26fd94 Fix issue with using source: on Zeek files log 
Line 407 was `source: id.orig_h` so that people could use the word `source` as an alias to `id.orig_h`, however there is a literal field with the name `source` in the `files.log` for Zeek, so having a Sigma query with something like `source: 'SMTP'` would yield `id.orig_h='SMTP'` in the resulting Splunk translation, which is incorrect. It should be `source='SMTP'`

Commenting out line 407 fixes this.
 2022-07-19 15:16:20 -05:00
akshay-chaturvedi 4625d8fb6c Merge branch 'SigmaHQ:master' into dnif-backend 2022-07-13 17:30:17 +05:30
Florian Roth 955b3dc66b fix: missing Defender eventlog in splunk config 2022-07-06 12:41:34 +02:00
akshay.chaturvedi b80448a0e7 added new backend for DNIF queries 2022-06-30 13:03:54 +05:30
frack113 227eefc985 Merge pull request #3128 from f-block/patch-2 
ProviderName seems to be wrong
 2022-06-14 20:58:11 +02:00
Frank Block e10a9f0257 Re-added powershell related "ProviderName" mapping 2022-06-14 20:48:36 +02:00
Frank Block 1e0a9fd8c1 Mapping name "Provider_Name" instead of "ProviderName" 
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).

Instead, the identifier `Provider_Name` is used.
 2022-06-14 18:17:35 +02:00
Frank Block 06234d831d ProviderName seems to be wrong 
`ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.
 2022-06-14 17:45:36 +02:00
Frank Block b6ecf5cffd Fixes typo for TargetServerName mapping 2022-06-14 17:40:33 +02:00
Tim Shelton 4d7d0b3235 backend - updating hawk backend with additional translations 2022-06-08 19:04:37 +00:00
Tim Shelton 6ca03d741b adding additional file hash column translation 2022-05-23 21:11:34 +00:00
Tim Shelton 605a0bc678 Backend: adding additional entries to hawk.yml 2022-05-23 18:46:50 +00:00
tr0mb1r ab7d7dbed8 Update sysmon.yml 
typo in config
 2022-05-20 13:47:18 +04:00
Tim Shelton 232fd9ad17 removing duplicate 2022-05-10 13:19:22 +00:00
Tim Shelton ad727e11e9 adding additional zeek categories to sort out false positive matching 2022-05-10 03:39:16 +00:00
Tim Shelton 278e825794 fixing hawk backend fields for zeek. wrong character 2022-05-10 01:45:17 +00:00
Tim Shelton 0709758651 Adding updates for zeek, as well as some missing sections for windows. internal review of rules will continue. 2022-05-09 23:23:35 +00:00
Tim Shelton ad003de3fb Fixing mismatch of sigs when using system/app/security and additional matching against provider name 2022-05-04 14:58:02 +00:00
tungnd27 9d7a7f7896 Add StreamAlert backend 2022-05-03 17:32:19 +07:00
Tim Shelton 102a45a215 adding support for terminal services-localsessionmanager 2022-04-29 14:29:05 +00:00
Florian Roth f695443c4c Merge pull request #2969 from SigmaHQ/new-source-terminalservices 
New source terminalservices
 2022-04-29 13:25:12 +02:00
Florian Roth 43f3a31d19 feat: new service definition - terminal services 2022-04-29 12:26:26 +02:00
Tim Shelton eb0bcd7c9f updating hawk field translation, and bug when an author field is not present in a sig 2022-04-28 19:54:00 +00:00
Tim Shelton 3f08d37a0e adding linux-auditd support and alignment 2022-04-20 14:31:32 +00:00
Tim Shelton 83ece8c9ca adding missing file_ entries 2022-04-13 15:57:54 +00:00
Tim Shelton bca687a1ad adding a couple more missing entries 2022-04-13 15:15:15 +00:00
Tim Shelton 500c97020f Backend: updating hawk backend config, still pending file_rename and other file_ categories 2022-04-13 14:38:18 +00:00
DustInDark 1a7e03c96b changed windows-bits-client Channel 
windows-bits-client tag converted `WinEventlog:Microsoft-Windows-Bits-Client/Operational` but other channel is not add `WinEventLog:`.

Removed "WinEventlog" to unify with other channel conversions.

ex: https://answers.microsoft.com/en-us/windows/forum/all/unknown-events-in-windowsbits-clientoperational/c0856f82-44a2-4998-9a3b-9d6eda328136
 2022-04-10 21:18:53 +09:00
Tim Shelton 0a9d8fd614 Fixing missed entry for registry_set 2022-03-30 15:56:31 +00:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
frack113 f1b8bc9479 Registry_add 2022-03-26 11:56:39 +01:00
frack113 fbc9e8c2df Update new registry category 2022-03-26 11:46:52 +01:00