security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
10,303 Commits 1 Branch 57 Tags
87a0bed0ecb2ffafff6422ff7dba2ffb85fcbc41
Commit Graph

1015 Commits

Author SHA1 Message Date
frack113 53651cdd2f Add Bits-Client rules 2022-03-03 06:27:00 +01:00
phantinuss 952fb07d59 fix: remove Aurora filter out, no longer needed 2022-03-02 11:14:01 +01:00
unknown 528cdd199b Update modified date 2022-02-24 14:38:35 -05:00
unknown 03048a1fdb Fix criteria to contains bckupkey 2022-02-24 13:55:34 -05:00
frack113 ffe2dd2a00 fix Provider_Name 2022-02-24 06:54:22 +01:00
Florian Roth b1ec01c289 fix: TiWorker.exe FW change 2022-02-22 13:58:21 +01:00
Florian Roth 70220eaced fix: last FPs 2022-02-22 13:53:28 +01:00
Florian Roth 679461082c Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-22 13:43:59 +01:00
Florian Roth b983330310 fix: more fixes 2022-02-22 13:42:39 +01:00
Florian Roth 7a2216c7be Merge branch 'master' into aurora-false-positive-fixing 2022-02-22 13:37:58 +01:00
Florian Roth cc9a5b4b07 fix: FPs with new rules 2022-02-22 13:32:34 +01:00
frack113 af987fb1a0 Set to low as too many FP 2022-02-22 09:38:10 +01:00
Florian Roth 118e28dbb6 Merge pull request #2708 from frack113/firewall_as 
Add firewall-as basic rules
 2022-02-22 08:54:00 +01:00
Florian Roth 921d46ca79 fix: FPs noticed with Aurora 2022-02-21 18:43:18 +01:00
frack113 8cfab22acb Add firewall-as basic rules 2022-02-19 10:18:49 +01:00
Florian Roth 06e62c48ee Merge pull request #2683 from SigmaHQ/aurora-false-positive-fixing 
Aurora false positive fixing
 2022-02-11 12:45:41 +01:00
Florian Roth 36b0a13e0f fix: better way to filter these events 2022-02-11 12:00:08 +01:00
Florian Roth 55a2fdd1c3 fix: FP noticed with Aurora 2022-02-11 11:58:30 +01:00
phantinuss 6ad44598ee fix: several FPs against a fresh installed Windows with example applications and basic user interaction 2 2022-02-10 16:12:17 +01:00
Florian Roth 3b67b44b82 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-09 18:18:59 +01:00
Florian Roth 2bbf6089ed fix: FPs, wrong modifier 2022-02-09 18:18:57 +01:00
Florian Roth 42ecaf2254 Merge branch 'master' into aurora-false-positive-fixing 2022-02-09 17:59:16 +01:00
Florian Roth 0d3c7aafe8 fix: FPs with Microsoft Defender LSASS ASR events 2022-02-09 17:24:29 +01:00
Florian Roth a60426e4a2 Update win_alert_lsass_access.yml 2022-02-07 15:43:04 +01:00
phantinuss ed2025e626 fix: FPs 2022-02-07 15:32:15 +01:00
Florian Roth 44221ed95e fix: Aurora Sigma rule matches in application log 2022-02-05 21:38:10 +01:00
Florian Roth 48aeae8ca9 Merge pull request #2631 from JSHOX1/patch-1 
Create win_susp_ntlm_brute_force.yml
 2022-02-04 00:49:27 +01:00
Florian Roth e6fb282064 Merge pull request #2637 from ruppde/master 
Update win_av_relevant_match.yml
 2022-02-03 22:28:19 +01:00
Florian Roth 20463ed18e Update win_susp_ntlm_brute_force.yml 2022-02-03 22:02:33 +01:00
Florian Roth 46f094d6f9 Merge pull request #2635 from SigmaHQ/rule-devel 
refactor: avoid regex use
 2022-02-03 21:56:58 +01:00
Arnim Rupp aab00905f1 Update win_av_relevant_match.yml 
Add Ransomware and Cobalt Strike strings.
 2022-02-03 21:43:42 +01:00
Florian Roth 6ce92b27be refactor: more regex avoidance 2022-02-03 20:05:10 +01:00
Florian Roth 8c07a51ab9 fix: non-ascii character in description 2022-02-03 19:52:07 +01:00
Florian Roth b715894497 refactor: avoid regex use 2022-02-03 19:48:19 +01:00
JSHOX1 81292263ba Update win_susp_ntlm_brute_force.yml 2022-02-02 16:18:20 -05:00
JSHOX1 1346d93e95 Update win_susp_ntlm_brute_force.yml 2022-02-02 12:25:07 -05:00
JSHOX1 50fb36c4cb Create win_susp_ntlm_brute_force.yml 2022-02-02 09:24:13 -05:00
Florian Roth ef955b92ae Merge branch 'master' into aurora-false-positive-fixing 2022-02-02 13:49:23 +01:00
phantinuss 2d36c6222d fix: FPs found in prod environment 2022-02-02 11:03:19 +01:00
Florian Roth 9fc06fb027 Merge branch 'aurora-false-positive-fixing' of https://github.com/SigmaHQ/sigma into aurora-false-positive-fixing 2022-02-01 15:57:20 +01:00
Florian Roth 6efa5da3dc fix: unescaped double back slashes 2022-02-01 15:57:15 +01:00
frack113 5b30db61b0 Add windows redcannary rules 2022-01-28 16:12:38 +01:00
frack113 7053d42e43 move to builtin 2022-01-21 11:59:13 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
Tom Maier 2cd464e77c Adjusted modified field to current date 2022-01-17 14:18:33 +01:00
Tom Maier 82e7ce7799 Adjust case sensitivity of Provider_Name field 2022-01-17 10:36:09 +01:00
Florian Roth c1e1809dae Merge pull request #2570 from SigmaHQ/rule-devel 
Admin Share rules, JS RunHTMLApplication
 2022-01-16 22:44:02 +01:00
Florian Roth a3a9e2add8 fix: wrong modifier 2022-01-16 17:43:55 +01:00
Florian Roth be224a6f37 rule: new rules covering admin share activity 2022-01-16 17:40:50 +01:00
frack113 5890c1bb20 Fix logsource 2022-01-16 08:56:51 +01:00