security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8,915 Commits 1 Branch 57 Tags
9c8a649e6ce400f656cbcbcf8d4d21dfddb7d42e
Commit Graph

703 Commits

Author SHA1 Message Date
Tim Shelton ad75a9a5bf updating hawk backend to provide additional tag enrichment. helps manage the state of each sigma rule, if experimental or not 2021-11-23 16:57:43 +00:00
frack113 4425f9cbcd Update sigma2attack.py 2021-11-20 19:59:57 +01:00
frack113 17296b4f5c Fix score error 2021-11-20 11:13:18 +01:00
frack113 1186982172 Add missing info 2021-11-20 10:10:17 +01:00
frack113 64d7386b9d Update and fix sigma2attack 2021-11-20 09:55:51 +01:00
redsand (Tim Shelton) bc334ab456 Hawk backend support for wildcard in middle of string (#2273) 
* updating yaml cfg for ms eventlog support

* update config and sigma backend, so that comments are not replaced, but rather the details of the record

* updating scriptblocktext to value

* adding a few missing ip address translations

* Fixing error when handling comparisons of null values, and additional fix of lack of support for not

* adding additional translations for missing category entries

* fixing error when handling list of ors with a not indicator

* finishes support for windows translations, pending qa

* adding dedupe feature and additional translation fix for dns-server

* adding image_loaded translation

* forced to pull back on the aggressive deduping, caused some inaccuracies

* adding more ux friendly formatting for regex

* adds support for wildcards in middle of strings

* adding a missing null check for supporting null matching

* adding cisco, av, and django cfg in yaml. updated apache in yaml and added another translation for ip_dport
 2021-11-18 06:29:41 +01:00
Sven Scharmentke c09b1861ec Merge branch 'SigmaHQ:master' into feature/uberagent-compat-6.2 2021-11-17 16:30:05 +01:00
Thomas Patzke ad647a6ecb Merge pull request #2240 from Entropy0/bugfix/condition-type-inheritance 
fix condition token inheritance
 2021-11-15 23:43:53 +01:00
Thomas Patzke cdaefbff69 Merge pull request #2265 from SigmaHQ/fix-ids 
Additional characters in identifier token
 2021-11-15 23:26:28 +01:00
Thomas Patzke aa47b88326 Merge pull request #2264 from roysjosh/fix-agg-ge-le 
Fix aggregation GE/LE
 2021-11-15 22:51:14 +01:00
Thomas Patzke 068255fc82 Additional characters in identifier token 2021-11-15 22:46:22 +01:00
Joshua Roys 87f919d0bc Fix aggregation GE/LE 
List longest matches first otherwise they will never match.
 2021-11-15 15:57:46 -05:00
wagga40 a8d00385c3 Fix double quotes escaping and values with commas in SQLite/SQL backends 2021-11-11 20:55:01 +01:00
redsand (Tim Shelton) a9b49679d3 Updates to hawk sigmac backend (#2244) 
Updated HAWK sigma backend
 2021-11-11 08:01:53 +01:00
ZikyHD 510da0085e Update sysmon.py (#2234) 
Update sysmon.py  and merge from master
 2021-11-10 20:43:13 +01:00
Entropy0 c7259b6196 fix condition token inheritance 
Without this fix, isinstance(ConditionOR(), ConditionAND) yields True
 2021-11-09 13:19:53 +01:00
Sven Scharmentke 075419da38 Initial commit of pending changes providing uberAgent 6.2 compatibilitz. 2021-11-09 03:38:12 +01:00
frack113 7f087797d6 Merge pull request #2175 from frack113/elastic_is_bad_in_regex 
manage start end regex for Elastic
 2021-11-05 12:27:18 +01:00
Jordi Schoots 23ed626287 Change location value=str(value) 2021-11-01 16:05:34 +01:00
Jordi Schoots 9d0123e782 Fix errors introduced at commit 58d9e41 2021-11-01 12:40:41 +01:00
frack113 f4b1dcfc72 cleanup code 2021-10-28 20:56:19 +02:00
frack113 c49b0d49fa Add deprecated status 2021-10-28 20:08:27 +02:00
frack113 e9d163cdd1 add filter not status 2021-10-28 19:46:36 +02:00
Tim Shelton 9b6be31c8d commenting out exceptions output from handling 2021-10-26 18:25:23 +00:00
Tim Shelton 7fc2a6f00d missed one 2021-10-26 15:25:11 +00:00
Tim Shelton 0d65dcdc28 fixx err 2021-10-26 15:12:03 +00:00
Tim Shelton 22b64644ef updating hawk backend to fix open ended backslash for regex 2021-10-26 15:09:47 +00:00
Tim Shelton bacdf53236 updating hawk backend to fix or list map missing an outer and operator 2021-10-26 15:05:27 +00:00
Tim Shelton 6b5c63e485 Merge branch 'master' of https://github.com/redsand/sigma into HAWK_Backend 2021-10-25 18:39:48 +00:00
davedhoff e772dbf0a9 Import Iterable from collections.abc 2021-10-22 13:56:47 -05:00
frack113 bb758bdb0f manage start end regex 2021-10-20 21:20:04 +02:00
Tim Shelton e97fa8fc75 merging from upstream 2021-10-19 02:37:53 +00:00
Tim Shelton d5498eecbf updating hawk backend, still pending aggregation support 2021-10-19 02:35:45 +00:00
Tim Shelton 16a78187bd updating hawk json format record 2021-10-18 21:39:49 +00:00
Tim Shelton 6e35c031de Add additional information to the analytic record, including tags, author info, rule id and references 2021-10-18 21:39:49 +00:00
Tim Shelton f2d9cf0964 Initial commmit of hawk analytic score generator 2021-10-18 21:39:49 +00:00
Tim Shelton ae2923bdd8 Initial commmit of hawk analytic score generator 2021-10-18 21:39:49 +00:00
Tim Shelton b30abd5c12 updating hawk json format record 2021-10-18 21:34:48 +00:00
Wagga 17d78a5c4c Fix a missing var reset in SQLite backend 2021-10-17 16:21:59 +02:00
Thomas Patzke 76c02a14b2 Merge pull request #1558 from maketsi/splunk-search-ext 
Added ability to define free-text searches in the logsource mapping
 2021-10-16 20:49:14 +02:00
Thomas Patzke 9d8828a0ed Merge pull request #1696 from denny-lclin/lclin/fix-ada-wildcard 
Fix [ALA] Convesion of wildcard not as expected for ada backend #1689
 2021-10-16 20:46:23 +02:00
Thomas Patzke f3c01a3f65 Merge pull request #1948 from zazzzSec/fix_cb_paths 
fixing cb path wildcards that don't work
 2021-10-16 20:44:14 +02:00
Thomas Patzke 4806a88427 Merge pull request #2029 from marcurdy/master 
Correct for proper output to Splunk and CarbonBlack. Add AWS Athena c…
 2021-10-16 20:37:59 +02:00
Thomas Patzke e6881e41a6 Merge pull request #2090 from roysjosh/ala-near 
Implement "near" support for ALA/Sentinel
 2021-10-16 20:34:32 +02:00
Thomas Patzke 00dd72acf2 Merge pull request #2118 from albchen/patch-3 
Add generateAggregation
 2021-10-16 20:33:11 +02:00
Tim Shelton 6d6a57a3b4 Add additional information to the analytic record, including tags, author info, rule id and references 2021-10-14 15:05:05 +00:00
Tim Shelton 1a9f106d34 Initial commmit of hawk analytic score generator 2021-10-14 14:17:03 +00:00
frack113 468cac031d fix status 2021-10-14 07:19:41 +02:00
Tim Shelton 1f5d9d8adc Initial commmit of hawk analytic score generator 2021-10-13 14:36:49 +00:00
albchen 62025971c7 Add generateAggregation 
Adds aggregation function for rules such as win_multiple_suspicious_cli.yml or win_dnscat2_powershell_implementation.yml. Modeled after splunk.py backend, converted to use MDE's count() and dcount() instead of Splunk's count() and dc(). Requires a valid config for converting aggfields and groupfields.
 2021-10-03 17:37:05 -07:00