security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

790 Commits

Author SHA1 Message Date
Thomas Patzke 4a9849b161 sigmac: improved backend options 
* parsing in main class
* help
 2018-03-21 00:53:44 +01:00
Thomas Patzke bd20ffdad9 sigmac/kibana: curl URL quoted 2018-03-21 00:22:00 +01:00
Thomas Patzke 3f5f3a8d50 sigmac: Remove problematic characters from rule identifiers 2018-03-17 00:44:50 +01:00
Thomas Patzke f6858c436a sigmac: Kibana curl output generates one index pattern line per pattern 2018-03-16 23:53:12 +01:00
Thomas Patzke 578118315c Merge branch 'devel-sigmac' into helk 2018-03-16 23:48:13 +01:00
Thomas Patzke e162ba0155 Added HELK configuration 2018-03-16 23:42:31 +01:00
Thomas Patzke 13ec4c3e3b sigmac: Kibana curl importer script 2018-03-11 00:25:12 +01:00
Thomas Patzke 54d9e52527 Sigma tools release 0.3 2018-03-06 23:21:13 +01:00
Thomas Patzke 3b8b04fe09 Merge branch 'devel-sigmac' 2018-03-06 23:19:45 +01:00
Thomas Patzke 7141729ffc sigma/parser: Introduced new conditions 
* Any definition: 1 of them
* All definitions: all of them
* Any of selected definitions: 1 of def* (wildcard)
* All of selected definitions: all of def* (wildcard)
 2018-03-06 23:13:42 +01:00
Thomas Patzke 5a97befea0 Sigma tools release 0.2 2018-03-04 23:03:19 +01:00
Thomas Patzke 647fc6187a sigmac: Added proper 'Content-Type' header for xpack-watcher backend 2018-03-04 22:58:15 +01:00
Thomas Patzke 89aa300bbc Improved xpack-watcher actions 
* Log and mail
* Details in message
 2018-02-09 00:03:41 +01:00
Thomas Patzke 8336929d76 XPack Watcher Backend: Improved aggregation capabilities 
* Aggregation with "...count(field)...", "...by field..." and
  combination of both
* Still only count() supported
 2018-02-08 22:17:35 +01:00
Thomas Patzke 4762a1cc30 Removed abandoned SigmaAggregationParser.trans_timeframe() method 2018-02-05 23:30:00 +01:00
Thomas Patzke ec3f0f6d60 Fixed before/after logic 
If nothing was generated "None" was printed.
 2018-02-01 22:49:02 +01:00
Thomas Patzke 76bdcba71f Added rulecomment option to all single-query output backends 
Prints comment with rule before output.
 2018-01-27 23:48:10 +01:00
Thomas Patzke 7708a538f4 New PyPI release 2017-12-14 22:40:31 +01:00
Thomas Patzke fc2dd90aaf Skipping dotfiles 2017-12-14 22:39:51 +01:00
Thomas Patzke 497496fdf1 New release 2017-12-13 00:28:50 +01:00
Thomas Patzke f3d19f394e Fixed encoding issues 
Some OS environments don't use UTF-8 as default encoding. Enforced it
for output files and stdout.
 2017-12-13 00:12:56 +01:00
Thomas Patzke 19cc299c57 Added PyPI README 2017-12-09 22:13:25 +01:00
Thomas Patzke fd7b7bb438 Fixed build 
Reference to main README
 2017-12-09 08:57:51 +01:00
Thomas Patzke da9127276c PyPI release documentation 2017-12-09 00:23:34 +01:00
Thomas Patzke d6526387d3 Renamed PyPI package 2017-12-09 00:15:34 +01:00
Thomas Patzke d82a78fa3d Finalizing PyPI release 
* Removed .py suffix from command line tools
* sigmac tells when it does nothing and prints usage notice
* Makefile upload target
* minor changes
 2017-12-08 23:50:08 +01:00
Thomas Patzke 09d40ab2da Finished packaging and refactoring 2017-12-08 22:32:39 +01:00
Thomas Patzke 68d8afe4e6 Intermediate refactoring commit: moving code into package 
Further splitting sigma.py into smaller parts.
 2017-12-08 21:45:05 +01:00
Thomas Patzke 11f52b981b Merge branch 'lgpl' into packaging 2017-12-08 17:15:23 +01:00
Thomas Patzke 764e064f8c First (untested) packaging 2017-12-08 00:32:41 +01:00
Thomas Patzke 2ce0be1f2d Re-licensing toolchain under LGPLv3 
Thanks to Ben de Haan and Devin Ferguson for permission for this change.
 2017-12-07 21:55:43 +01:00
Thomas Patzke 3b9ff57a38 Added merge_sigma tool 
* Tests
* Restructured Makefile
 2017-11-14 22:17:18 +01:00
Thomas Patzke f478cffb41 Added default index configs for usual ELK setups 
* Added test case for defaultindex with kibana backend
 2017-11-09 10:05:41 +01:00
Thomas Patzke 46f1ce35a8 sigmac/kibana backend: added index fallback if none determined 2017-11-09 10:02:23 +01:00
Florian Roth 1bea284280 Added Windows Driver Framework log source to configs 2017-11-09 08:42:58 +01:00
Florian Roth e83e3a0c07 Bugfixes in Splunk config 2017-11-09 08:41:07 +01:00
Thomas Patzke b03f9359ec sigmac: Added rule filter 2017-11-02 00:02:15 +01:00
Thomas Patzke 732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Thomas Patzke d0b2bd9875 Multiple rules per file 
* New wrapper class SigmaCollectionParser parses all YAML documents
  contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
 2017-10-31 23:06:18 +01:00
Thomas Patzke 5743e25931 Added logging framework 2017-10-31 22:13:20 +01:00
Thomas Patzke 720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke 012cb6227f Added proper handling of null/not null values 
Fixes issue #25
 2017-10-29 23:57:39 +01:00
Thomas Patzke 5fa9e685b1 Splitted parts of generate to generateQuery in backend code 2017-10-25 00:03:03 +02:00
Thomas Patzke 6d0e85fcfa Fixed Splunk backend (#50) 2017-10-24 23:48:47 +02:00
Thomas Patzke 65e1f8ec2b Increased test coverage 
* more tests
* removed unneeded code
* increased coverage fail threshold
 2017-10-23 23:30:44 +02:00
Thomas Patzke 3389656a5b Added ELK default index config 2017-10-23 00:45:33 +02:00
Thomas Patzke 7f93d3ca47 Kibana backend throws exception when multiple indices appear 
* Introduced backend errors with handling in sigmac
 2017-10-23 00:45:01 +02:00
Thomas Patzke cb9aeac7d9 Added default index handling 
* Removed default index handling from backend code
* Added default indices to config templates
 2017-10-23 00:08:39 +02:00
Thomas Patzke ec996e7353 Improved test coverage 2017-10-19 17:42:56 +02:00
Thomas Patzke 5449a12a14 Added GrepBackend 
Moved field quoting/filtering into QuoteCharMixin
 2017-10-18 19:03:38 +02:00