security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth cc8a89b679 Merge pull request #239 from neu5ron/master 
update helk config
 2019-02-05 20:01:28 +01:00
neu5ron 046510f021 updated HELK Destination IP name 2019-02-05 13:11:06 -05:00
sisecbe 5d94b9f0bc Changed stats to eventstats 
Changed 'stats' to 'eventstats' when using aggregation, this keeps the original data of the event in the result.
 2019-02-05 17:36:46 +01:00
Florian Roth 5092b1e603 Rule: removed overlapping strings in Linux rule 2019-02-05 16:12:07 +01:00
Florian Roth 32c098294f Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00
Florian Roth 8f684ddd06 Rule: FP in WMI persistence with SCCM 2019-02-05 15:57:54 +01:00
sisecbe 2f5eb08b41 Adapt count function when aggfield not present 
When no field is present, use "count" , when field is present use "dc(field)". As described in the Sigma specifications.
Splunk throws errors when using "count()" with empy fields. use "count" instead.
 2019-02-05 15:44:05 +01:00
Florian Roth a276d3083d DHCP log source in sigmac configs 2019-02-05 14:35:23 +01:00
Florian Roth dfd4ce878f Rule: limiting rule to DHCP log 2019-02-05 14:35:23 +01:00
Florian Roth 5b92790e3f Rule: WMI Persistence - FPs 2019-02-05 14:35:23 +01:00
Florian Roth abf5a5088e Rule: more malicious UAs 2019-02-05 14:35:23 +01:00
juju4 98a18fd4a2 add sigma2sumologic.py as test/example script 2019-02-03 12:54:03 -05:00
juju4 7d159fb980 sumologic backend: review with inspiration from arcsight 2019-02-03 12:53:58 -05:00
Thomas Patzke 3ef930b094 Escaped '\*' to '\\*' where required 2019-02-03 00:24:57 +01:00
Thomas Patzke 9c44bb04a7 Added mail address to CI fail notification 2019-02-02 23:52:54 +01:00
Thomas Patzke 9403128aef Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-02-02 23:52:06 +01:00
Thomas Patzke 6215a694a8 Remove escaping from '\\*' in es-dsl backend 2019-02-02 23:51:11 +01:00
Florian Roth 37e13c9f41 Notify me 2019-02-02 08:56:00 +01:00
Thomas Patzke 8a0784ad33 Fixed escaping of \\* 2019-02-02 00:18:58 +01:00
Thomas Patzke 6440bc962b CACTUSTORCH detection 2019-02-01 23:27:53 +01:00
Thomas Patzke 6436cb3ae1 Added missing conditions 2019-02-01 23:02:03 +01:00
Florian Roth 27c2684a0f Rule: Chafer malware proxy pattern 2019-01-31 12:31:48 +01:00
Florian Roth a8d1e7c62b Rule: Fixed ntdsutil rule field in 4688 events 2019-01-29 15:59:39 +01:00
Florian Roth 6c8d08942e Rule: Fixed field in RDP rule 2019-01-29 15:17:29 +01:00
Florian Roth f61b44efa8 Rule: Netsh port forwarding 2019-01-29 14:04:48 +01:00
Florian Roth 086e62a495 Rule: Netsh RDP port forwarding rule 2019-01-29 14:04:28 +01:00
Florian Roth a2eac623a6 Rule: Adjusted RDP login from localhost rule level 2019-01-29 14:04:10 +01:00
Florian Roth c9ec469180 style: cosmetics - removed empty lines at file end 2019-01-29 12:54:07 +01:00
Thomas Patzke 516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Tareq AlKhatib cd2af196e3 Corrected path to rules 2019-01-25 12:25:51 +03:00
Tareq AlKhatib 96220e776f Added a test to check for duplicate filters in rules 2019-01-25 12:22:28 +03:00
Tareq AlKhatib 7e4bb1d21a Removed duplicate filters 2019-01-25 12:21:57 +03:00
Thomas Patzke 3c7f46a6cd Added rule test to CI testing 2019-01-23 23:31:36 +01:00
Thomas Patzke 9ce7d18712 Merge pull request #231 from TareqAlKhatib/rule_testing_framework 
Rule testing framework
 2019-01-23 23:16:46 +01:00
Tareq AlKhatib ecffe28933 Correct MITRE tag 2019-01-22 21:26:07 +03:00
Tareq AlKhatib e3d61047bb Added two tests. One for MITRE and another for file extension. 2019-01-22 21:25:13 +03:00
Florian Roth 90e8eba530 rule: false positive reduction in PowerShell rules 2019-01-22 16:37:36 +01:00
Florian Roth cc6e0baef1 rule: extended certutil rule to include verifyctl and allows renamed certutil 
https://twitter.com/egre55/status/1087685529016193025
 2019-01-22 16:20:06 +01:00
Florian Roth b1ea976f66 fix: fixed bug inntdsutil rule that included a white space 2019-01-22 16:18:43 +01:00
Florian Roth 8c4b21f063 Rule: Apache threading errors 2019-01-22 08:49:10 +01:00
keepwatch f99df33b01 SSP added to LSA configuration 2019-01-18 14:05:21 -05:00
Thomas Patzke 3eaf83cf5a Improved configurations 
Added Security/4688 field mappings
 2019-01-16 23:37:18 +01:00
Thomas Patzke 96eb460944 Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 23:36:31 +01:00
Thomas Patzke ba64f485ac Added generic Windows audit log configuration 2019-01-16 22:41:42 +01:00
Thomas Patzke 4bc4c94a91 sigma2genericsigma: preserve dict order 2019-01-16 22:37:32 +01:00
Florian Roth 5645c75576 Rule: updated relevant AV signatures - exploiting 
https://twitter.com/haroldogden/status/1085556071891173376
 2019-01-16 18:43:28 +01:00
Florian Roth f759e8b07c Rule: Suspicious Program Location Process Starts 2019-01-15 15:40:51 +01:00
Thomas Patzke 7622b17415 Moved test rule to final location/naming scheme 2019-01-14 23:58:25 +01:00
Thomas Patzke 2fd88c837d Added generic sigma rule support to WDATP backend 
* Process creation rules
 2019-01-14 23:54:05 +01:00
Thomas Patzke 4e83bfeb16 Fixed merge bugs 2019-01-14 22:54:26 +01:00