f86342012a
Update elasticsearch.py
...
From ElasticSearch 7.0, the URI to access to Watcher API changes
Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
2019-05-16 16:17:57 +02:00
9e2345c491
Merge pull request #338 from yt0ng/development
...
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 21:35:52 +02:00
a6d2a5d79b
fix: more general fixes of the var type issue
2019-05-15 21:25:53 +02:00
9f1bbb0a0d
fix: missing type check in WDATP backend
2019-05-15 21:20:20 +02:00
694fa567b6
Reformatted
2019-05-15 20:22:53 +02:00
1c36bfde79
Bugfix - Swisscom in Newline
2019-05-15 15:03:55 +02:00
d5f49c5777
Fixed syntax
2019-05-15 14:50:57 +02:00
508d1cdae0
Removed double back slashes
2019-05-15 14:46:45 +02:00
13522b97a7
Adjusting Newline
2019-05-15 12:15:41 +02:00
275896dbe6
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
2019-05-15 11:47:12 +02:00
b6c4e64a9b
fixed attack category number 2->3
2019-05-12 11:59:13 +02:00
2778558ae3
added rule .bash_profile and .bashrc T1156
2019-05-12 02:07:13 +02:00
5dfe39c05b
Merge pull request #335 from Codehardt/master
...
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 14:06:11 +02:00
1ca57719b0
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:37:12 +02:00
1c2bc87946
Merge pull request #334 from Codehardt/master
...
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:19:56 +02:00
6585c83077
fix: fixed reference list, otherwise it's not valid string list
2019-05-10 10:13:35 +02:00
526468bec3
Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url
...
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
2019-05-10 00:31:33 +02:00
f4d8dcaa1e
Merge branch 'Karneades-patch-1'
2019-05-10 00:21:15 +02:00
25c0330dca
Added filter
2019-05-10 00:20:56 +02:00
995c03eef9
Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1
2019-05-10 00:15:51 +02:00
a361664ed2
Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix
...
Correct parenthesization for NOT expressions in the ES-QS backend
2019-05-10 00:14:29 +02:00
56f64ca47d
Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection
...
New C2 DNS Tunneling Sigma Detection Rule
2019-05-10 00:12:39 +02:00
c50119b913
Merge branch 'P4T12ICK-feature/lnx-priv-esc-prep'
2019-05-10 00:08:48 +02:00
46c789105b
Fix and ordering
2019-05-10 00:08:26 +02:00
595f22552d
Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep
2019-05-10 00:05:06 +02:00
27199fc231
Merge branch 'neu5ron-patch-3'
2019-05-10 00:02:33 +02:00
15a4c7e477
Fixed rule
2019-05-10 00:02:20 +02:00
666e859d14
Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3
2019-05-10 00:00:14 +02:00
14b10c232e
Merge branch 'MadsRC-MadsRC-patch-1'
2019-05-09 23:58:14 +02:00
f51e918a2e
Small rule change
2019-05-09 23:57:55 +02:00
31946426a5
Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1
2019-05-09 23:54:18 +02:00
f01fbd6b79
Merge branch
2019-05-09 23:51:15 +02:00
e60fe1f46d
Changed rule
...
* Adapted false positive notice to observation
* Decreased level
2019-05-09 23:49:39 +02:00
3dd76a9c5e
Converted to generic process creation rule
...
Previous rule was prone to FPs; more generic form
2019-05-09 23:48:42 +02:00
792095734d
Update win_proc_wrong_parent.yml
...
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
2019-05-09 23:48:36 +02:00
378ba5b38f
Transformed rule
...
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs
Fixed Typo
Changes to title and description
2019-05-09 23:48:36 +02:00
8e6295e402
Windows processes with wrong parent
...
Detect scenarios when malicious program is disguised as legitimate process
2019-05-09 23:48:36 +02:00
1e2ef92104
Merge branch 'vburov-patch-2'
2019-05-09 23:10:52 +02:00
121e21960e
Rule changes
...
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
2019-05-09 23:09:22 +02:00
9b67705799
Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2
2019-05-09 22:55:07 +02:00
763939a8ca
Hide --shoot-yourself-in-the-foot
2019-04-25 23:42:13 +02:00
eb022f3908
Conditional field mapping for null values
...
Fixes #326
2019-04-25 23:24:05 +02:00
cfb4f32651
Backend es-dsl tolerates rules without title and log source
2019-04-25 22:41:31 +02:00
16bf5eef0f
Merge pull request #327 from Codehardt/master
...
Added logsources for generic sigma rules to spark config, renamed spa…
2019-04-25 10:10:51 +02:00
17ae9ea91c
Renamed spark config in setup.py
2019-04-25 09:56:29 +02:00
8cf505fcb3
Accidentally removed windows-dhcp logsource in spark's config file
2019-04-25 08:23:48 +02:00
79f7edb6b4
Added logsources for generic sigma rules to spark config, renamed spark config to thor config
2019-04-25 08:15:50 +02:00
6918784e87
Configuration order checking
2019-04-23 00:54:10 +02:00
c90d3e811e
Formatted error code definitions
2019-04-23 00:53:52 +02:00
e9af99c147
Completed error codes
2019-04-23 00:52:31 +02:00
lliknart