security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
472 Commits 1 Branch 57 Tags
9d968de337b3e7da50eebfbd57d32bd382a9df74
Commit Graph

39 Commits

Author SHA1 Message Date
Thomas Patzke 6d0e85fcfa Fixed Splunk backend (#50) 2017-10-24 23:48:47 +02:00
Thomas Patzke 65e1f8ec2b Increased test coverage 
* more tests
* removed unneeded code
* increased coverage fail threshold
 2017-10-23 23:30:44 +02:00
Thomas Patzke 7f93d3ca47 Kibana backend throws exception when multiple indices appear 
* Introduced backend errors with handling in sigmac
 2017-10-23 00:45:01 +02:00
Thomas Patzke cb9aeac7d9 Added default index handling 
* Removed default index handling from backend code
* Added default indices to config templates
 2017-10-23 00:08:39 +02:00
Thomas Patzke 5449a12a14 Added GrepBackend 
Moved field quoting/filtering into QuoteCharMixin
 2017-10-18 19:03:38 +02:00
Thomas Patzke b8eedfe3f0 Fixes and refactoring of KibanaBackend and XPackWatcherBackend 
* Moved unnecessary code out of condition loop
* Index specific rule-name not appended to rulename variable used later
  from other rule/index.
* Merged condition loop
 2017-09-30 23:22:05 +02:00
Thomas Patzke 1d314e326e sigmac: MultiRuleOutputMixin 
* Moved rule name generation into mixin
* KibanaBackend and XPackWatcherBackend now use this mixin instead of
  doing the same thing in both classes.
 2017-09-30 01:03:08 +02:00
Thomas Patzke d410adb397 sigmac: X-Pack Watcher backend improvements 
* Renamed backend class according to convention
* Output types: curl (default) and plain
* Prefix of rule names
* Indices from configuration
* Support for multiple conditions per rule
* Usage of parsed condition
* Support for all condition operators
* Fixed bug preventing from passing multiple options to backend
* Added to CI tests
 2017-09-22 00:28:35 +02:00
Thomas Patzke 62eb3b2923 Merge branch 'devel-sigmac' of https://github.com/megadevx/sigma into devel-sigmac-watcher 2017-09-19 23:08:04 +02:00
Thomas Patzke a18b8eca52 sigmac: changed backend description for kibana backend 2017-09-17 00:31:25 +02:00
Thomas Patzke 270ab9ba78 Added backend options 
* generic support for backend-specific options
* kibana backend option for title prefix
 2017-09-16 23:46:40 +02:00
Thomas Patzke c8a66e48b6 sigmac: improved Kibana backend 
* added fields from rules
* default index if none is matching
 2017-09-16 00:39:37 +02:00
devife 9bc8e12a4f Created a X-Pack Watcher output. 
This is has only been tested slightly.
 2017-09-15 09:49:57 -05:00
devife 135e389334 Created a X-Pack Watcher output. 
This is has only been tested slightly.
 2017-09-15 09:46:37 -05:00
Thomas Patzke e5da26578d sigmac/kibana backend: index names from configuration 2017-09-11 00:30:01 +02:00
Thomas Patzke be3c0cfb89 sigmac: Kibana backend, first version 
* totally untested!
* only supports searches
* no visualizations/aggregation expressions
* some fields are filled with default values (see code comments)
 2017-09-05 00:14:13 +02:00
Thomas Patzke c5fc74f440 Further backend changes 
* backends get complete SigmaParser objects instead of condition
* addition of finalize step for backends
* Renaming of output classes
 2017-09-04 00:56:04 +02:00
Thomas Patzke 39381305d8 sigmac: Generic Text File Output 
Moved output logic into generic class.
 2017-08-29 00:05:59 +02:00
Thomas Patzke d84f9dcc1c Aggregation 'near' raises NotImplementedError in backends splunk and logpoint 2017-08-05 23:48:28 +02:00
Ben de Haan 43c4486de0 Added LogPoint aggregation 
Added generateAggregation function for LogPoint
 2017-06-19 15:21:29 +02:00
Thomas Patzke 9d49daecea Restructured backends 
Moved most logic into generic base class SingleTextQueryBackend which is
configured by class variables.
 2017-06-02 23:43:45 +02:00
Thomas Patzke 6a29884615 Structured backends module with comments 2017-05-26 23:42:49 +02:00
Thomas Patzke 05e9d1e1e9 Check if aggregation is present in BaseBackend 
Caused NotImplementedError in ElasticsearchQueryStringBackend.
 2017-04-17 00:11:20 +02:00
Thomas Patzke a22fe58ac9 Aggregation support for Splunk backend 2017-03-29 23:18:47 +02:00
Thomas Patzke 5009794591 Changes to field mappings 
* Introduced field mapping objects
* moved mapping from backends into parse tree generation
  (SigmaParser.parse_definition)
 2017-03-24 00:48:32 +01:00
Thomas Patzke 1bf11dc471 Merge pull request #17 from benno001/master 
Fixed LogPoint list behaviour
 2017-03-20 08:58:16 +01:00
Ben de Haan c94b539b14 Fixed LogPoint list behaviour 2017-03-20 08:41:29 +01:00
Florian Roth 8403e8072c Merge pull request #14 from benno001/master 
Added LogPoint backend
 2017-03-18 13:30:35 +01:00
Ben de Haan d18751a0ea Added LogPoint backend 2017-03-18 11:12:06 +01:00
Thomas Patzke b865a858aa Generation of conditions for configured indices 2017-03-17 23:28:06 +01:00
Thomas Patzke d1030ec053 Fieldlist backend 
Lists all fields used in given rules.
 2017-03-06 22:47:30 +01:00
Thomas Patzke 05df298d45 Field mappings 2017-03-06 22:07:04 +01:00
Florian Roth 47bfe82cc4 Splunk specifics 2017-03-04 10:37:40 +01:00
Thomas Patzke 8f3541f0a0 Added Splunk backend 2017-03-02 23:34:12 +01:00
Thomas Patzke 2dd1c7cd12 Deactivated not implemented backends 2017-03-02 22:55:45 +01:00
Thomas Patzke 9556e73cd1 Fix: automatic escaping of * and ? in es-qs backend removed 2017-03-02 12:07:07 +01:00
Thomas Patzke 10ee9c64fe Moved node output into dedicated backend class methods 2017-03-01 21:47:51 +01:00
Thomas Patzke e0f813ebbb Conversion to Elasticsearch Query Strings 
First version of sigmac that converts Sigma YAMLs without aggregations
into ES Query Strings suitable for Kibana or other tools.
 2017-03-01 00:03:34 +01:00
Thomas Patzke 1498d787e7 Added Sigma converter skeleton 
* YAML parsing
* argument parsing
* empty backend classes
 2017-02-13 23:28:53 +01:00