2873e1ded3
Small refactors to make more readable and remove deprecated code paths to increase coverage.
2019-10-28 10:49:05 -05:00
a7003c2aa3
Adding support for "unix", looking like a mistake by the creator.
2019-10-27 15:55:12 -05:00
d019cef439
Ading a bit more of early support for netflow and some linux exe.
2019-10-27 15:48:28 -05:00
a57a7b58cf
Added conceptial support for aliasing keyworkds to a specific field depending on the log source.
2019-10-27 15:28:54 -05:00
60b20a76a6
Fixing handling of unsupported sources.
2019-10-27 12:37:06 -05:00
0fe72d6133
Emit error on full-text searches not being supported.
2019-10-27 12:26:36 -05:00
f43300af8e
Fix the top level pre-condition for Windows Event Logs on LC.
2019-10-27 12:17:15 -05:00
91e48d8c1b
Adding setup links and fixing test that would crash Not node, but not seen in prod rules.
2019-10-27 11:56:32 -05:00
8d866b0868
Adding comments.
2019-10-26 17:37:13 -05:00
bc5e9bd03a
Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report.
2019-10-26 17:30:40 -05:00
8cc3990aef
Extending support for more random rules with odd names.
2019-10-26 16:59:33 -05:00
4d65b62063
Adding support for generating rules for Windows builtin category for use in the External Logs of LC.
2019-10-26 16:30:50 -05:00
30cc7ee809
Refactor mappings into a flat structure to account for missing parameters in some combinations.
2019-10-26 16:09:39 -05:00
77329714c5
Adding service to indirection of mappings since it will be used for Windows Event Logs.
2019-10-26 16:06:42 -05:00
823d86c7d9
Remove unimplemented config entries and fix bug with valueNode.
2019-10-26 15:54:08 -05:00
bba43c7a86
First draft of support for LimaCharlie D&R rules.
2019-10-26 15:45:48 -05:00
30948b9c1a
Added sigma-similarity tool
...
Fixed also bug in backend base class that was triggered by the way
backends are used by this tool.
2019-10-25 21:59:03 +02:00
8a545b973b
Sigmatools release 0.13
2019-10-21 11:58:26 +02:00
fc276612b6
Added encoding modifiers
2019-10-16 23:52:06 +02:00
6a1a96a918
Implement mapping when selecting the fields for the AQL query. This was not being done correctly
2019-10-16 16:37:09 +02:00
2837d3ba74
Added the cleanValue function for Qradar
2019-10-16 10:27:24 +02:00
849a5a520d
Conditional field mapping resolve_fieldname now functional
...
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
2019-10-09 23:57:41 +02:00
95c8d25858
Improved --backend-config help text
2019-10-07 22:30:57 +02:00
a729cc7905
create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon]( https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js ) sigmac conversion
2019-10-01 10:16:42 -04:00
f7fd936433
update HELK config taxonomy/mapping for sigmac conversion
2019-10-01 10:14:54 -04:00
d4f89ebc1c
Aggregation on keyword field in es-dsl backend
...
* Fixes #452
* Further fixed reference to count in restriction of results
2019-09-29 23:18:17 +02:00
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin
...
rule: user added to local administrator: handle non english systems b…
2019-09-25 17:29:41 +02:00
19f431b6d2
Changed xpack-watcher dateField default to previous value
2019-09-12 00:19:58 +02:00
4c5eab88b6
add GroupSid to other configs
2019-09-11 04:53:30 -04:00
8f612f743c
Use config dateField in xpack watcher to determine
...
datefield name as in elasticsearch dsl backend
2019-09-11 09:38:03 +02:00
5ae46ac56d
rule: user added to local administrator: handle non english systems by using group sid instead of name
2019-09-06 06:21:42 -04:00
c80cb418cd
Improved QRadar regular expression support
2019-09-05 15:35:26 +02:00
30b6db8299
Fixed ES backend keyword field mapping wildcard match pattern
2019-09-05 12:55:10 +02:00
3b1cbe529e
Elasticsearch keyword field name blacklisting with wildcards
2019-09-05 12:38:32 +02:00
2a60c71b9d
Merge pull request #437 from svent/qradar_regex_modifier
...
QRadar backend: add support for re type modifiers
2019-09-05 10:30:18 +02:00
de5e2045f0
Merge pull request #428 from stevengoossensB/master
...
AQL field selection from signatures
2019-09-05 10:28:02 +02:00
37e179b6a7
Merge pull request #390 from juju4/devel-sumo2
...
sumologic backend: fix index and full mapping coverage
2019-09-05 10:27:19 +02:00
467c8f694c
QRadar backend: add support for re type modifiers
2019-09-03 22:55:48 +02:00
cb088e4911
Remove quotes from around the fields to make the query semantically correct
2019-08-26 12:43:26 +00:00
ad19f05e2c
Include mapped names rather then signature names
2019-08-26 12:06:20 +00:00
37caccd52e
Includes the trial condition so generic query is generated whenever the fields are not defined
2019-08-26 11:48:40 +00:00
895682aef2
Implementing the fields to be selected
2019-08-26 10:57:43 +00:00
0984293d0c
Support for Malicious cmdlets in ATP
2019-08-20 14:33:08 -07:00
1ea6d00a39
Fix QRadar field name escaping and handling
2019-08-12 23:47:43 +02:00
826c1e3942
Fix QRadar backend config
2019-08-12 23:47:43 +02:00
0708fdd28e
Correctly escape slashes within es-dsl wildcard queries
2019-08-07 12:56:19 +02:00
9c85d5e80f
Merge pull request #406 from tuckner/master
...
Fix ala parsing issues
2019-08-06 10:28:07 +02:00
940c36a4cd
Fixed build
...
Missing package specification
2019-08-05 23:42:33 +02:00
d5885686fc
Sigmatools release 0.12
...
* Value modifiers
* Config name cleanup
2019-08-01 23:45:07 +02:00
805c739611
Merge branch 'devel-modifiers'
2019-07-31 23:44:10 +02:00
Maxime Lamothe-Brassard