security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,063 Commits 1 Branch 57 Tags
82fbfed2c2319acd4eefa9dba5d2694de546172a
Commit Graph

4063 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth 61a05ee054 reordered fields, changed indentation 2020-08-12 16:44:37 +02:00
Thomas Patzke 01125ffd3b Fixed: Elastalert backend handling of conditional field mappings 2020-08-11 23:29:18 +02:00
Thomas Patzke d73447c111 Merge pull request #939 from ktecv2000/master 
add wmi persistence script event consumer false positive
 2020-08-05 23:28:26 +02:00
Thomas Patzke f827a557f2 Merge pull request #936 from rtkmokuka/typo_wmiprvse_spawning_process 
Change fitler typo from 'Username' to 'User' for Wmiprvse Spawning Process rule
 2020-08-05 23:26:14 +02:00
Thomas Patzke 9b2f8ce1f9 Merge pull request #953 from barvhaim/master 
STIX Backend added and updated fields mapping
 2020-08-05 23:25:17 +02:00
Florian Roth 98ca8b4ce9 Merge pull request #968 from zinint/master 
ATT&CK mapping update suggestions for \linux\
 2020-08-05 00:37:36 +02:00
Timur Zinniatullin 72fdf0da45 Update lnx_auditd_susp_cmds.yml 2020-08-04 20:00:30 +03:00
Timur Zinniatullin 4e688233d7 ATT&CK mapping update suggestions for \linux\ 2020-08-04 19:48:18 +03:00
Florian Roth 4529e4cd52 Merge pull request #966 from Neo23x0/rule-devel 
rule: TAIDOOR malware load
 2020-08-04 14:54:24 +02:00
Florian Roth 052379a512 fix: tightened TAIDOOR rule 2020-08-04 14:37:18 +02:00
Florian Roth c4953409aa rule: TAIDOOR malware load 
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
 2020-08-04 14:31:29 +02:00
Florian Roth fa36adfe6d Merge pull request #965 from IPv777/patch-2 
.002 	= 	SMB/Windows Admin Shares
 2020-08-03 18:05:12 +02:00
IPv777 a52583dc68 .002 = SMB/Windows Admin Shares 2020-08-03 17:43:14 +02:00
Florian Roth 732c1fa356 Merge pull request #964 from Neo23x0/rule-devel 
New rules
 2020-08-03 15:28:45 +02:00
Florian Roth 5625f471d7 Merge pull request #963 from diskurse/rule-devel 
win_webshell_regeorg.yml
 2020-08-03 13:51:16 +02:00
Florian Roth 3abc3d0a76 docs: add FP condition 2020-08-03 13:50:47 +02:00
Florian Roth 6f7aecbe06 fix: preventive change to avoid FPs 2020-08-03 13:49:52 +02:00
Cian Heasley de33b953ba Add files via upload 
Webshell ReGeorg Detection Via Web Logs
 2020-08-03 12:20:04 +01:00
Florian Roth df3bfb1b37 rule: Winnti Pipemon 2020-07-30 18:55:47 +02:00
bar 8352eefe22 STIX Support keywords (value without field) 2020-07-28 18:52:02 +03:00
bar 53f36d2ab6 Merge remote-tracking branch 'upstream/master' 2020-07-28 16:24:51 +03:00
Florian Roth 5abf101c0b Merge pull request #954 from Neo23x0/rule-devel 
Rule devel
 2020-07-28 10:22:52 +02:00
Florian Roth 8970d03f6f Merge pull request #952 from Neo23x0/devel 
feat: Detect duplicate rule tags
 2020-07-28 10:21:59 +02:00
bar 565f77c199 Added STIX target to README.md 2020-07-27 15:35:30 +03:00
bar de475bb500 updated STIX mapping for more rule fields 2020-07-27 14:36:30 +03:00
Florian Roth 80f4b4ec71 fix: rules with duplicate tags 2020-07-27 11:44:47 +02:00
Florian Roth 051e2ce905 feat: detect duplicate tags 2020-07-27 11:37:58 +02:00
Thomas Patzke 481b695eff Merge pull request #950 from barvhaim/master 
STIX Backend bug-fix and mapping updates
 2020-07-26 18:33:35 +02:00
bar 32cf352236 Merge remote-tracking branch 'upstream/master' 2020-07-26 14:56:06 +03:00
bar 9643e01b54 extension should use '..' 2020-07-26 12:16:48 +03:00
Thomas Patzke dcb07bab2f Merge pull request #949 from 0xballistics/powershell_backend_fix 
partial(?) fix of #762
 2020-07-25 10:18:05 +02:00
Florian Roth a0ac6c46c7 Merge pull request #948 from IPv777/patch-1 
remove duplicate tag
 2020-07-24 20:32:40 +02:00
Simran Kaur Soin b8b1f83ae6 Merge pull request #3 from simrankaursoin/master 
Fix bug with NOT handling
 2020-07-24 11:55:17 -04:00
IPv777 77a8ac59ef remove duplicate 2020-07-24 16:38:08 +02:00
Florian Roth a55630f02c Merge pull request #947 from ryanplasma/master 
Minor fixes to two rules
 2020-07-24 09:25:55 +02:00
Ryan Plas aa548ba1a9 Add quotes due to a colon in the falsepositives string 2020-07-23 23:33:36 -04:00
Ryan Plas e52489aaf6 Change production status to stable 2020-07-23 23:33:36 -04:00
Simran Soin c329f6412d Fix bug with NOT handling 2020-07-23 11:47:55 -04:00
Simran Kaur Soin 7e32557ffc Merge pull request #2 from simrankaursoin/master 
Update base.py and qradar.py
 2020-07-23 11:12:17 -04:00
Florian Roth 8a4b53eb3a fix: rule leads to FPs on systems that don't log the cmdline parameters 2020-07-23 17:04:16 +02:00
Simran Soin 6c7b4cf408 Revert additional change in base.py 2020-07-23 10:47:22 -04:00
Simran Soin ef9af3730a Remove unnecessary edits from qradar.py 2020-07-23 10:34:29 -04:00
Simran Soin 0e49a6acdf Default NOT to false for all functions 2020-07-23 10:18:16 -04:00
Simran Soin 0fac21f4a3 Remove modifications from base file and override in stix.py 2020-07-23 10:13:30 -04:00
Simran Kaur Soin a03d1b091e Merge pull request #1 from simrankaursoin/master 
Fix NOT bug
 2020-07-23 09:50:18 -04:00
Simran Soin 30ff22776a Fix NOT bug 2020-07-23 09:41:33 -04:00
Florian Roth 951c6fee8b Update sysmon_password_dumper_lsass.yml 2020-07-23 14:31:21 +02:00
bar 5019f2f160 added mapping for stix web, cloud, linux 2020-07-22 21:41:46 +03:00
Florian Roth 02a6b20f5f Merge pull request #944 from rtkdmasse/update-rule-selections 
Add 'contains' for the ps encoded chars rule
 2020-07-22 17:48:18 +02:00
Daniel Masse 13cf0488ae Add 'contains' for the ps encoded chars rule 2020-07-22 10:49:22 -04:00