security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

159 Commits

Author SHA1 Message Date
vunx2 1025930e04 merge 2020-03-19 11:05:52 +07:00
vunx2 c627f6b381 merge 2020-03-19 11:02:10 +07:00
vunx2 e228d42b97 clean IP subnet 2020-03-18 16:49:44 +07:00
neu5ron 58ac26e531 more ECS to sigmac taxonomy for web/proxy 2020-03-14 14:57:38 -04:00
vunx2 58f5fa1b8e change to github 2020-02-28 16:56:48 +07:00
vunx2 139600009b conflict 2020-02-28 16:50:30 +07:00
Thomas Patzke 5b42135935 Added es-rule backend to all ES configurations 2020-02-24 23:20:48 +01:00
vh 5dc30bd388 Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
Thomas Patzke 776b58b594 Improved Splunk Zeek configuration 2020-02-21 22:31:14 +01:00
Thomas Patzke 48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
james dickenson 1347e5060f logsource config for zeek events in splunk 2020-02-12 21:24:03 -08:00
vunx2 627f46abc2 backslash fix 2020-02-06 16:28:27 +07:00
vunx2 19d9e4856e clean Value + config 2020-02-05 17:47:35 +07:00
Thomas Patzke d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
vunx2 2930df17d6 update sigma 2020-02-03 09:47:06 +07:00
neu5ron d8b703462d fix name of network_initiated 2020-01-13 00:12:04 -05:00
Thomas Patzke 8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Thomas Patzke b701e9be50 Added ECS proxy configuration 2019-12-09 16:34:07 +01:00
Thomas Patzke 991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Lep 60997b47b2 moreEventID 2019-11-28 21:34:52 +07:00
Florian Roth e2628d6df6 fix: wrong mapping on thor.cfg 2019-11-11 09:20:20 +01:00
Florian Roth a0beda240c fix: fixed wrong field mapping in windows-audit source config 2019-11-09 22:42:00 +01:00
Maxime Lamothe-Brassard 2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Maxime Lamothe-Brassard 823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
gsanm 150afd816d IP Clean 2019-10-22 17:49:50 +07:00
lep 1c5816b214 update carbonblack module 2019-10-18 17:51:31 +07:00
lep 7219e0b0f1 module carbonblack 2019-10-18 14:04:38 +07:00
neu5ron a729cc7905 create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion 2019-10-01 10:16:42 -04:00
neu5ron f7fd936433 update HELK config taxonomy/mapping for sigmac conversion 2019-10-01 10:14:54 -04:00
ecco 4c5eab88b6 add GroupSid to other configs 2019-09-11 04:53:30 -04:00
ecco 5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
Thomas Patzke de5e2045f0 Merge pull request #428 from stevengoossensB/master 
AQL field selection from signatures
 2019-09-05 10:28:02 +02:00
Thomas Patzke 37e179b6a7 Merge pull request #390 from juju4/devel-sumo2 
sumologic backend: fix index and full mapping coverage
 2019-09-05 10:27:19 +02:00
Steven Goossens cb088e4911 Remove quotes from around the fields to make the query semantically correct 2019-08-26 12:43:26 +00:00
Steven Goossens ad19f05e2c Include mapped names rather then signature names 2019-08-26 12:06:20 +00:00
svent 826c1e3942 Fix QRadar backend config 2019-08-12 23:47:43 +02:00
Thomas Patzke b9ff280209 Cleanup of configuration names 2019-07-14 00:50:15 +02:00
juju4 10290beb54 config/sumologic: more index mappings 2019-07-06 12:42:12 -04:00
juju4 7b0cace217 config/sumologic: more index mappings 2019-07-06 12:42:05 -04:00
Thomas Patzke 161965d14c Added version information to Winlogbeat configs 2019-06-30 22:44:12 +02:00
herrBez 74021d53d8 Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes 
ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html
 2019-06-30 12:13:21 +02:00
Thomas Patzke f4da0c5540 Added field SecurityID to Winlogbeat config 2019-06-19 23:35:50 +02:00
David Vassallo fdce7ad9bf Addition of KeyLength field 2019-06-14 17:58:47 +03:00
Thomas Patzke 5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Florian GAULTIER 6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Thomas Patzke 11ed7e7ef8 Check for valid configuration/backend combinations 2019-05-20 01:00:33 +02:00
Thomas Patzke 36aeb19721 Added title to all configurations 2019-05-16 23:33:51 +02:00
Codehardt 8cf505fcb3 Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 08:23:48 +02:00
Codehardt 79f7edb6b4 Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 08:15:50 +02:00