security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

556 Commits

Author SHA1 Message Date
ipninichuck 75ec169d5c added metadata field to the watcher alert 
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
 2019-05-22 04:30:47 -07:00
Thomas Patzke 194afa739f Generate rule name for each condition 
In backends kibana and xpack-watcher.

Fixes #329
 2019-05-21 00:36:19 +02:00
Thomas Patzke af0bd1b082 Removed debug code from backend option handling 
Additionally: code simplification
 2019-05-21 00:21:52 +02:00
Thomas Patzke 97541ac267 Added -C shortcut for --backend-config 2019-05-21 00:15:01 +02:00
Thomas Patzke 7e163d71eb Added option to use old URL in xpack-watcher backend 2019-05-21 00:01:21 +02:00
Thomas Patzke 4e63e925cf Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1 2019-05-20 23:43:49 +02:00
Thomas Patzke 11ed7e7ef8 Check for valid configuration/backend combinations 2019-05-20 01:00:33 +02:00
Thomas Patzke e271484eef Load configurations via new config management 2019-05-20 00:27:35 +02:00
Thomas Patzke 3d20e0bc98 Sigma configuration management with listing 
Missing:
* Use config by identifier
 2019-05-17 09:13:59 +02:00
Thomas Patzke 71ff6bd943 Catch type errors in configuration handling 2019-05-16 23:34:44 +02:00
Thomas Patzke 36aeb19721 Added title to all configurations 2019-05-16 23:33:51 +02:00
lliknart f86342012a Update elasticsearch.py 
From ElasticSearch 7.0, the URI to access to Watcher API changes

Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
 2019-05-16 16:17:57 +02:00
Florian Roth a6d2a5d79b fix: more general fixes of the var type issue 2019-05-15 21:25:53 +02:00
Florian Roth 9f1bbb0a0d fix: missing type check in WDATP backend 2019-05-15 21:20:20 +02:00
Thomas Patzke 526468bec3 Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url 
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
 2019-05-10 00:31:33 +02:00
Thomas Patzke a361664ed2 Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix 
Correct parenthesization for NOT expressions in the ES-QS backend
 2019-05-10 00:14:29 +02:00
Thomas Patzke 763939a8ca Hide --shoot-yourself-in-the-foot 2019-04-25 23:42:13 +02:00
Thomas Patzke eb022f3908 Conditional field mapping for null values 
Fixes #326
 2019-04-25 23:24:05 +02:00
Thomas Patzke cfb4f32651 Backend es-dsl tolerates rules without title and log source 2019-04-25 22:41:31 +02:00
Codehardt 17ae9ea91c Renamed spark config in setup.py 2019-04-25 09:56:29 +02:00
Codehardt 8cf505fcb3 Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 08:23:48 +02:00
Codehardt 79f7edb6b4 Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 08:15:50 +02:00
Thomas Patzke 6918784e87 Configuration order checking 2019-04-23 00:54:10 +02:00
Thomas Patzke c90d3e811e Formatted error code definitions 2019-04-23 00:53:52 +02:00
Thomas Patzke e9af99c147 Completed error codes 2019-04-23 00:52:31 +02:00
Thomas Patzke d0bd8a2a41 Mandatory configuration for most backends 2019-04-22 23:40:21 +02:00
Thomas Patzke 34c426a95b Moved error codes to constants defined centrally 2019-04-22 23:15:35 +02:00
christophetd 4e16bbafa8 Correct parenthesization for NOT expressions in the ES-QS backend 2019-04-16 10:30:18 +02:00
Thomas Patzke 5194e8778c Fail on missing target selection 2019-04-14 23:50:07 +02:00
Florian Roth 6351c5a350 Sigma ATT&CK coverage by @jmallette 2019-04-11 18:27:52 +02:00
Jon cd456a1d2b initial SIGMA ATTACK Navigator layer release 2019-04-09 22:49:28 -04:00
juju4 152febcea2 sumologic: fixing non-pushed cleannode() 2019-04-07 13:04:15 -04:00
christophetd d32e5c10b8 Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time 2019-04-03 17:22:58 +02:00
Thomas Patzke 0419ff215a Fixed quoting of single quotes in grep backend 2019-04-01 23:22:05 +02:00
Thomas Patzke 140a32d8c9 Sigma tools release 0.10 2019-03-16 01:02:48 +01:00
Thomas Patzke 2dda9a7b77 Moved Sysmon schema XML from contrib directory into module 2019-03-16 00:59:29 +01:00
Thomas Patzke 5e973a6321 Fixes and CI testing of --backend-config 2019-03-15 23:46:38 +01:00
Thomas Patzke 0864d05aa5 Merge branch 'backend-config-file' of https://github.com/christophetd/sigma into christophetd-backend-config-file 2019-03-15 23:35:11 +01:00
Thomas Patzke 3f7e08733a Added backend option 'sysmon' for ala backend 2019-03-15 23:26:15 +01:00
Thomas Patzke 8d1723e65c Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master 2019-03-15 23:06:08 +01:00
John Tuckner a1ba04aec8 modified process creation logic 2019-03-08 00:01:43 -06:00
Thomas Patzke a429f09cc1 Merge branch 'elastalert-alert-types' of https://github.com/christophetd/sigma into christophetd-elastalert-alert-types 2019-03-07 23:54:05 +01:00
tuckner e9ddd933f8 more fixes for process creation 2019-03-07 16:28:35 -06:00
John Tuckner 5a64f572e3 update 2019-03-07 10:32:59 -06:00
John Tuckner 283bd278f4 added eventid to sysmon process creation 2019-03-05 20:58:23 -06:00
John Tuckner 971bd49071 accomodated process creation and slash escapes 2019-03-05 20:50:30 -06:00
tuckner cf186387af Added schema file checking 2019-03-04 11:53:51 -06:00
tuckner c5796d7853 Added Azure Log Analytics backend 2019-03-04 10:49:50 -06:00
tuckner 8179d182c4 added azure log analytics 2019-03-04 10:44:45 -06:00
Thomas Patzke 99b15edf8a Sigma tools release 0.9 2019-03-02 00:47:03 +01:00