security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

56 Commits

Author SHA1 Message Date
Anastasios Zouzias 3c7f522017 add .keyword on aggs; add extra unit test 2019-11-14 14:34:50 +01:00
Anastasios Zouzias e7ed0fa9ea added unit test 2019-11-12 14:06:10 +01:00
Anastasios Zouzias 324005a126 [feature] extend es-dsl to support nested aggregations 2019-11-12 11:46:43 +01:00
Thomas Patzke 465e41bfbb Added regular expression support in es-dsl backend 2019-11-08 22:31:02 +01:00
Thomas Patzke 8af2b70594 Restrict search not bound to fields to keyword fields 2019-11-02 22:55:04 +01:00
Thomas Patzke 2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Thomas Patzke 849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00
Thomas Patzke d4f89ebc1c Aggregation on keyword field in es-dsl backend 
* Fixes #452
* Further fixed reference to count in restriction of results
 2019-09-29 23:18:17 +02:00
Thomas Patzke 19f431b6d2 Changed xpack-watcher dateField default to previous value 2019-09-12 00:19:58 +02:00
herrBez 8f612f743c Use config dateField in xpack watcher to determine 
datefield name as in elasticsearch dsl backend
 2019-09-11 09:38:03 +02:00
Thomas Patzke 30b6db8299 Fixed ES backend keyword field mapping wildcard match pattern 2019-09-05 12:55:10 +02:00
Thomas Patzke 3b1cbe529e Elasticsearch keyword field name blacklisting with wildcards 2019-09-05 12:38:32 +02:00
Michiel Meersmans 0708fdd28e Correctly escape slashes within es-dsl wildcard queries 2019-08-07 12:56:19 +02:00
Thomas Patzke 805c739611 Merge branch 'devel-modifiers' 2019-07-31 23:44:10 +02:00
Thomas Patzke 1bb29dca26 Implemented type modifiers and regular expressions 2019-07-15 22:52:10 +02:00
christophetd 576912eb7a Support OR queries for Elasticsearch 6 and above 2019-07-08 17:12:53 +02:00
Thomas Patzke 0c7151c901 Watcher backend default options, refactoring and testing 2019-06-28 23:22:16 +02:00
Adrian Constantin Stanila feac0be8a4 Added 2 more actions on Elasticsearch X-pack Watcher: index and webhook 
Added timestamp filter query.
 2019-06-27 08:54:59 +03:00
Thomas Patzke 673973e523 Merge pull request #357 from agix/es_dsl_bug 
fix missing condition when unique plus timeframe
 2019-05-30 22:42:09 +02:00
Thomas Patzke 8023011bb1 Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend 2019-05-30 22:33:57 +02:00
Florian GAULTIER 89c1d7b63d Wrong fix, self.queries should be emptied after copied to rule_object 2019-05-29 16:10:14 +02:00
Florian GAULTIER 748ac2e206 Dont combine multiple queries 2019-05-29 16:05:53 +02:00
Thomas Patzke 04d91573f3 Merge pull request #355 from agix/allow_empty_keyword 
Allow empty keyword_field
 2019-05-28 21:45:55 +02:00
Florian GAULTIER d866e75750 Be sure there is a key in the single condition 2019-05-27 17:27:16 +02:00
Florian GAULTIER e8a7c5f7b9 fix missing condition when unique plus timeframe 2019-05-27 17:22:28 +02:00
Florian GAULTIER 6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Florian GAULTIER 4168c0ec64 Allow empty keyword_field 2019-05-27 15:08:33 +02:00
ipninichuck 75ec169d5c added metadata field to the watcher alert 
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
 2019-05-22 04:30:47 -07:00
Thomas Patzke 194afa739f Generate rule name for each condition 
In backends kibana and xpack-watcher.

Fixes #329
 2019-05-21 00:36:19 +02:00
Thomas Patzke 7e163d71eb Added option to use old URL in xpack-watcher backend 2019-05-21 00:01:21 +02:00
lliknart f86342012a Update elasticsearch.py 
From ElasticSearch 7.0, the URI to access to Watcher API changes

Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
 2019-05-16 16:17:57 +02:00
Thomas Patzke 526468bec3 Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url 
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
 2019-05-10 00:31:33 +02:00
Thomas Patzke a361664ed2 Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix 
Correct parenthesization for NOT expressions in the ES-QS backend
 2019-05-10 00:14:29 +02:00
Thomas Patzke eb022f3908 Conditional field mapping for null values 
Fixes #326
 2019-04-25 23:24:05 +02:00
Thomas Patzke cfb4f32651 Backend es-dsl tolerates rules without title and log source 2019-04-25 22:41:31 +02:00
christophetd 4e16bbafa8 Correct parenthesization for NOT expressions in the ES-QS backend 2019-04-16 10:30:18 +02:00
christophetd d32e5c10b8 Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time 2019-04-03 17:22:58 +02:00
christophetd 1a6faf385c Add HTTP POST alert type to the Elastalert backend 2019-02-23 14:12:14 +01:00
Thomas Patzke 6215a694a8 Remove escaping from '\\*' in es-dsl backend 2019-02-02 23:51:11 +01:00
Thomas Patzke 8a0784ad33 Fixed escaping of \\* 2019-02-02 00:18:58 +01:00
Thomas Patzke 73b0c3a25b Fixed wildcard issue for es-dsl backend 
Moved field mapping code into mixin shared by es-qs and es-dsl.
 2018-12-21 14:10:45 +01:00
Thomas Patzke ffd43823cf Fixed wildcard issue in es-qs backend and depending 
See GitHub issue #194. Fix for es-dsl is pending.
 2018-12-19 00:33:12 +01:00
Thomas Patzke 2091c90538 Fixed ElastAlert *_key options 
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
 2018-12-09 22:33:23 +01:00
Thomas Patzke 246ad7c59a Revert "Fixed wildcards in es-qs backend" 
This reverts commit 49d464f979.

The partial fix for issue #194 broke the generation of many other rules,
see #203.
 2018-12-05 09:07:07 +01:00
lsoumille 50c74b94bc add elastalert backend support 2018-11-23 20:39:15 +01:00
Thomas Patzke 9e28669c33 Backend es-qs return quotes on empty or whitespace-only string 2018-11-21 22:29:12 +01:00
Thomas Patzke 49d464f979 Fixed wildcards in es-qs backend 2018-11-20 23:23:54 +01:00
ntim e501c4a5b9 Added additional output type 'json' to the xpack-watcher backend which prints each watcher as compress json, one watcher per line 2018-10-17 10:38:56 +02:00
Thomas Patzke dce4b4825d Fixed aggregations without field name 
Generated query contained field name "None".
 2018-08-10 15:07:07 +02:00
Thomas Patzke af9f636199 Removal of backend output classes 
Breaking change: Instead of feeding the output class with the results,
they are now returned as strings (*Backend.generate()) or list
(SigmaCollectionParser.generate()). Users of the library must now take
care of the output to the terminal, files or wherever Sigma rules should
be pushed to.
 2018-08-02 22:41:32 +02:00