security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,589 Commits 1 Branch 57 Tags
87879f69cfdfa1e759c69cda797c8dfd4c8bb2dd
Commit Graph

627 Commits

Author SHA1 Message Date
Maxime Lamothe-Brassard f294be60b8 Adding support for additional platforms and sources. 2023-01-26 17:33:58 -08:00
Maxime Lamothe-Brassard aa341ab38f Support macOS file_event. 2023-01-26 15:51:24 -08:00
Maxime Lamothe-Brassard ff7794225b Fix a case of regular expression use. 2023-01-26 15:44:10 -08:00
frack113 699da13dc0 Revert name to uuid 2023-01-18 19:34:13 +01:00
Arnim Rupp ffa01ef035 add -i to grep parameters to make it case insensitive as sigma 2023-01-16 10:14:51 +01:00
Thomas Patzke b0f59faac3 Fixed type hint causing issues 2023-01-07 00:37:47 +01:00
Nasreddine Bencherchali a25027fef8 fix: rename links from old repo to SigmaHQ 2022-12-27 21:05:16 +01:00
Tim Shelton 9e26ad75da HAWK backend configuration update and bug fix. 2022-11-15 17:38:29 +00:00
tr0mb1r 27b8b85230 Update elasticsearch.py 
Example:

'threshold': {
        'field': [
            'host.name',
        ],
        'value': 10,
        'cardinality': [
            {
                'field': 'process.parent.name',
                'value': 1,
            },
        ],
    }
 2022-11-07 12:46:09 +04:00
frack113 85d33e4af9 Merge pull request #3525 from vastlimits/feature/ame-7.0 
Updated uberAgent backend to support version 7.0.
 2022-10-06 06:42:57 +02:00
mpgn 652447696b Update datadog sigmac 2022-09-28 08:30:03 -04:00
Sven Scharmentke 5d9edbbb28 Merge remote-tracking branch 'origin/master' into feature/ame-6.3 2022-09-27 09:48:24 +02:00
David Hazekamp ad6ddf5896 feat(backend): add support for linux.network_connection 
Also remove evaluatorId
 2022-09-20 13:47:17 -05:00
Thomas Patzke 7afcf24d21 Splunk puts AND always into parentheses 
New fix for issue #3443
 2022-09-09 22:30:00 +02:00
Thomas Patzke 19dea55e2c Merge branch 'windash' 2022-09-08 09:34:19 +02:00
Wagga 03a6a5b48b Update Sqlite backend to handle null values 2022-08-20 12:23:00 +02:00
Sven Scharmentke b3088d45b4 Merge branch 'master' into feature/ame-6.3 2022-08-04 09:43:23 +02:00
Rachel Rice d47f32cb0f chore: Remove DEFAULT_EVAL_FREQUENCY global 
Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-08-01 16:26:58 +01:00
Rachel Rice 197953e816 chore: Remove evalFrequency from Lacework backend 
evalFrequency has been deprecated; it is no longer required for policies.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-08-01 16:12:13 +01:00
Tim Shelton b39ec30d06 Backend: hawk update to support boolean comparison values and some column translation updates 2022-07-29 13:56:15 +00:00
akshay.chaturvedi b80448a0e7 added new backend for DNIF queries 2022-06-30 13:03:54 +05:30
Alexander McDonald 1249675bcd Adding a mapping check to escape slashes in KQL 2022-06-18 09:02:21 -04:00
frack113 6bd09ec054 Merge pull request #3114 from hazedav/self-join-filter 
feat(backend): support for parent process filters
 2022-06-09 08:16:13 +02:00
David Hazekamp c1b5551486 feat(backend): bump lacework config version 2022-06-08 23:41:54 -05:00
David Hazekamp fea9602210 feat(backend): support for parent process filters 2022-06-08 23:39:32 -05:00
Tim Shelton 4d7d0b3235 backend - updating hawk backend with additional translations 2022-06-08 19:04:37 +00:00
David Hazekamp 323298ba91 fix(backend): use subexp when OR list items 2022-06-03 14:54:35 -05:00
Maxime Lamothe-Brassard 3fdaf8b9f1 Support alternate case for OriginalFileName. 2022-05-27 11:01:22 -07:00
Tim Shelton b339901806 Backend: because hawk splits up SYSTEM and NT AUTHORITY, additional treatment is needed on some rules 2022-05-23 23:52:52 +00:00
Thomas Patzke 01ffec65fe Merge pull request #2994 from ablescia/feat-hedera_backend 
Hedera Backend - C# dynamic LINQ
 2022-05-18 23:23:51 +02:00
Tim Shelton c64197233d fixing error in translation 2022-05-10 02:19:23 +00:00
Tim Shelton 50a4a02364 adding additional field with ip_src as initial cardinal 2022-05-10 01:51:37 +00:00
Tim Shelton 8674e26218 adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example 2022-05-10 01:50:46 +00:00
Tim Shelton 6aa0064c28 adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples 2022-05-09 23:23:07 +00:00
Antonio Blescia feca339bfc created hedera backend file 2022-05-08 15:59:14 +02:00
Tim Shelton bd51eb4c72 adding additional filter for string 2022-05-04 15:27:23 +00:00
Tim Shelton ad003de3fb Fixing mismatch of sigs when using system/app/security and additional matching against provider name 2022-05-04 14:58:02 +00:00
tungnd27 9d7a7f7896 Add StreamAlert backend 2022-05-03 17:32:19 +07:00
Sven Scharmentke 616dce35e2 Implemented RuleId property & use Generic fields as they are matched. 2022-05-03 01:08:12 +02:00
Sven Scharmentke 0d2189cfa2 Merge branch 'SigmaHQ:master' into feature/ame-6.3 2022-05-03 00:02:13 +02:00
Thomas Patzke 58dea50656 Fix: Subexpression with OR instead of OR 2022-05-01 23:17:33 +02:00
Thomas Patzke 184b6bb244 Wrapping base64offset modified expansion group into ConditionOR 2022-05-01 23:07:25 +02:00
Tim Shelton eb0bcd7c9f updating hawk field translation, and bug when an author field is not present in a sig 2022-04-28 19:54:00 +00:00
secops4thewin 4442bb6982 Removed empty line 2022-04-28 13:18:11 +10:00
secops4thewin 9275d33ab2 Add timeframe to search for Devo 
Modified search to include a timeframe option.
 2022-04-28 13:14:41 +10:00
Sven Scharmentke a73697c184 Merge branch 'master' into feature/ame-6.3 2022-04-11 14:07:33 +02:00
Sven Scharmentke 41ce8dcbfb Implemented backend configuration to exclude certain rules during generation. 2022-04-11 14:02:11 +02:00
frack113 627843d73f New registry category mapping 2022-03-26 19:36:46 +01:00
frack113 33e29b55bf New registry category 2022-03-26 19:05:38 +01:00
SimSama c37ae60cff Merge branch 'master' into master 2022-03-16 16:29:34 -05:00