f86342012a
Update elasticsearch.py
...
From ElasticSearch 7.0, the URI to access to Watcher API changes
Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
2019-05-16 16:17:57 +02:00
a6d2a5d79b
fix: more general fixes of the var type issue
2019-05-15 21:25:53 +02:00
9f1bbb0a0d
fix: missing type check in WDATP backend
2019-05-15 21:20:20 +02:00
526468bec3
Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url
...
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
2019-05-10 00:31:33 +02:00
a361664ed2
Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix
...
Correct parenthesization for NOT expressions in the ES-QS backend
2019-05-10 00:14:29 +02:00
eb022f3908
Conditional field mapping for null values
...
Fixes #326
2019-04-25 23:24:05 +02:00
cfb4f32651
Backend es-dsl tolerates rules without title and log source
2019-04-25 22:41:31 +02:00
d0bd8a2a41
Mandatory configuration for most backends
2019-04-22 23:40:21 +02:00
4e16bbafa8
Correct parenthesization for NOT expressions in the ES-QS backend
2019-04-16 10:30:18 +02:00
152febcea2
sumologic: fixing non-pushed cleannode()
2019-04-07 13:04:15 -04:00
d32e5c10b8
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
2019-04-03 17:22:58 +02:00
0419ff215a
Fixed quoting of single quotes in grep backend
2019-04-01 23:22:05 +02:00
2dda9a7b77
Moved Sysmon schema XML from contrib directory into module
2019-03-16 00:59:29 +01:00
5e973a6321
Fixes and CI testing of --backend-config
2019-03-15 23:46:38 +01:00
0864d05aa5
Merge branch 'backend-config-file' of https://github.com/christophetd/sigma into christophetd-backend-config-file
2019-03-15 23:35:11 +01:00
3f7e08733a
Added backend option 'sysmon' for ala backend
2019-03-15 23:26:15 +01:00
8d1723e65c
Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master
2019-03-15 23:06:08 +01:00
a1ba04aec8
modified process creation logic
2019-03-08 00:01:43 -06:00
a429f09cc1
Merge branch 'elastalert-alert-types' of https://github.com/christophetd/sigma into christophetd-elastalert-alert-types
2019-03-07 23:54:05 +01:00
e9ddd933f8
more fixes for process creation
2019-03-07 16:28:35 -06:00
5a64f572e3
update
2019-03-07 10:32:59 -06:00
283bd278f4
added eventid to sysmon process creation
2019-03-05 20:58:23 -06:00
971bd49071
accomodated process creation and slash escapes
2019-03-05 20:50:30 -06:00
cf186387af
Added schema file checking
2019-03-04 11:53:51 -06:00
c5796d7853
Added Azure Log Analytics backend
2019-03-04 10:49:50 -06:00
8179d182c4
added azure log analytics
2019-03-04 10:44:45 -06:00
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
1a6faf385c
Add HTTP POST alert type to the Elastalert backend
2019-02-23 14:12:14 +01:00
3a7160d52b
Accept backend options from a configuration file ( closes #213 )
2019-02-23 13:20:20 +01:00
9ef314486e
Grep backend escapes +
2019-02-19 14:49:06 +01:00
01dfc23a26
Merge pull request #234 from juju4/devel-sumo
...
Sumologic support update
2019-02-09 23:54:23 +01:00
4429d7564f
remove 'escape' of '_' - not needed
2019-02-09 12:57:43 -05:00
a815b7eb9b
add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string
2019-02-09 12:57:07 -05:00
5d94b9f0bc
Changed stats to eventstats
...
Changed 'stats' to 'eventstats' when using aggregation, this keeps the original data of the event in the result.
2019-02-05 17:36:46 +01:00
2f5eb08b41
Adapt count function when aggfield not present
...
When no field is present, use "count" , when field is present use "dc(field)". As described in the Sigma specifications.
Splunk throws errors when using "count()" with empy fields. use "count" instead.
2019-02-05 15:44:05 +01:00
7d159fb980
sumologic backend: review with inspiration from arcsight
2019-02-03 12:53:58 -05:00
6215a694a8
Remove escaping from '\\*' in es-dsl backend
2019-02-02 23:51:11 +01:00
8a0784ad33
Fixed escaping of \\*
2019-02-02 00:18:58 +01:00
2fd88c837d
Added generic sigma rule support to WDATP backend
...
* Process creation rules
2019-01-14 23:54:05 +01:00
a9cf14438c
Merge branch 'master' into project-1
2019-01-14 22:36:15 +01:00
aa37ef2559
extending the qradar backend to allow for timeframe query
2019-01-11 03:33:49 +00:00
73b0c3a25b
Fixed wildcard issue for es-dsl backend
...
Moved field mapping code into mixin shared by es-qs and es-dsl.
2018-12-21 14:10:45 +01:00
ffd43823cf
Fixed wildcard issue in es-qs backend and depending
...
See GitHub issue #194 . Fix for es-dsl is pending.
2018-12-19 00:33:12 +01:00
4175d0cdd5
Fixed config and added index field
...
* Added index field _index to backend implementation
* Fixed index values in config
2018-12-10 22:37:39 +01:00
1f707cb37c
Adding Sumologic backend
2018-12-09 17:55:51 -05:00
2091c90538
Fixed ElastAlert *_key options
...
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
2018-12-09 22:33:23 +01:00
246ad7c59a
Revert "Fixed wildcards in es-qs backend"
...
This reverts commit 49d464f979#194 broke the generation of many other rules,
see #203 .
2018-12-05 09:07:07 +01:00
f9d9d653dc
Merge pull request #199 from sisecbe/patch-1
...
Distinct count in aggragation function
2018-12-04 23:42:16 +01:00
2bf0170956
Merge pull request #202 from tuckner/master
...
Fixed backslash escape
2018-12-03 22:22:53 +01:00
2c5c92ab0a
fixed backslash escape
2018-12-03 15:09:29 -06:00
lliknart