security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
2,410 Commits 1 Branch 57 Tags
a0bad54dbda170d5369f54ccede5f11f999da4de
Commit Graph

2410 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke a9cf14438c Merge branch 'master' into project-1 2019-01-14 22:36:15 +01:00
Thomas Patzke 8336b47530 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-01-14 22:12:37 +01:00
Thomas Patzke cc4b806b94 Sigma tools release 0.7.1 0.7.1 2019-01-14 00:26:03 +01:00
Thomas Patzke 5cba0b9946 Merge pull request #223 from m0jtaba/master 
extending the qradar backend to allow for timeframe query
 2019-01-13 23:55:55 +01:00
Thomas Patzke ed1ee80f2d Merge pull request #221 from adrienverge/fix/yamllint 
Fix yamllint config
 2019-01-13 23:55:14 +01:00
Thomas Patzke 7634128143 Generate list of converted file in conversion to generic rules 2019-01-13 23:53:11 +01:00
Thomas Patzke e585858128 Optimization in conversion to generic rules 
* only create necessary output files in directory output mode
* delete empty detections and empty detection sections
* Merge equal documents
* Merge reduced collections into one YAML document in common case
 2019-01-13 23:45:11 +01:00
Florian Roth 9a6b3b5389 Rule: PowerShell script run in AppData folders 2019-01-12 12:03:36 +01:00
Florian Roth 604d88cf1e Rule: WMI Event Subscription 2019-01-12 12:03:36 +01:00
Florian Roth 63f96d58b4 Rule: Renamed PowerShell.exe 2019-01-12 12:03:36 +01:00
Florian Roth b7eb79f8da Rule: UserInitMprLogonScript persistence method 2019-01-12 12:03:36 +01:00
Florian Roth d4a1fe786a Rule: Dridex pattern 2019-01-12 12:03:36 +01:00
Mo Amiri aa37ef2559 extending the qradar backend to allow for timeframe query 2019-01-11 03:33:49 +00:00
Adrien Vergé 44f18db80d Fix YAML errors reported by yamllint 
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
 2019-01-10 09:51:39 +01:00
Adrien Vergé b5531be4bf Really run yamllint (it wasn't checking any rule) 
Fix the yamllint config in `.yamllint` to "extend" the default rule.
Previously, it didn't extend anything and only disabled a rule, which
means no rule at all were checked.

Also disable some rules in this file, because they report many errors in
the Sigma code base.

In the future, I suggest fixing these errors and re-enabling standard
rules like `trailing-spaces` or `indentation`.

Fixes #220.
 2019-01-10 09:51:33 +01:00
Thomas Patzke 9f56b9e99b Output all YAML documents if one changed 
Some Sigma rule collections contain YAML documents that reduce to almost
nothing because they only contain EventID definitions. Previous behavior
would filter the part with the remaining selection.
 2019-01-08 23:27:16 +01:00
Thomas Patzke bf9a567afd Fixed issues in converter 2019-01-06 23:57:09 +01:00
Thomas Patzke faeaf1dfef Added first version of generic sigma rules conversion tool 2019-01-06 23:46:23 +01:00
Florian Roth 0c3b0e25a8 Merge pull request #217 from TareqAlKhatib/private_ips 
Corrected class B private IP range to prevent false negatives
 2019-01-04 12:11:25 +01:00
Tareq AlKhatib 8b94860ee6 Corrected class B private IP range to prevent false negatives 2019-01-04 12:50:41 +03:00
Florian Roth ee417dd2ea Merge pull request #216 from TareqAlKhatib/duplicate_outlook 
Removed Outlook detection which is a subset of the Office one
 2019-01-02 22:56:59 +01:00
Tareq AlKhatib 925ffae9b8 Removed Outlook detection which is a subset of the Office one 2019-01-02 07:47:44 +03:00
Florian Roth 55f8993a96 Merge pull request #215 from TareqAlKhatib/ole_vs_rc 
Fixed the RC section to use rc.exe instead of oleview.exe
 2019-01-01 14:01:42 +01:00
Tareq AlKhatib 0a5e79b1e0 Fixed the RC section to use rc.exe instead of oleview.exe 2019-01-01 13:30:26 +03:00
Florian Roth 4e21289bdc Merge pull request #214 from TareqAlKhatib/reference_vs_references 
Corrected reference to references as per Sigma's standard
 2018-12-28 10:55:30 +01:00
Tareq AlKhatib f318f328d6 Corrected reference to references as per Sigma's standard 2018-12-25 16:25:12 +03:00
Thomas Patzke f7e53929fa Added Python 3.7 to CI testing 2018-12-21 14:17:02 +01:00
Thomas Patzke 73b0c3a25b Fixed wildcard issue for es-dsl backend 
Moved field mapping code into mixin shared by es-qs and es-dsl.
 2018-12-21 14:10:45 +01:00
Florian Roth c8c419f205 Rule: Hacktool Rubeus 2018-12-19 09:31:22 +01:00
Thomas Patzke 75c7d65240 Merge pull request #211 from Cyb3rWard0g/master 
Field-Index Mapping File & SIGMA Rules Field names fix
 2018-12-19 00:38:06 +01:00
Thomas Patzke ffd43823cf Fixed wildcard issue in es-qs backend and depending 
See GitHub issue #194. Fix for es-dsl is pending.
 2018-12-19 00:33:12 +01:00
Florian Roth a7fa20546a Rule: proxy user agents updated with MacControl user agent 2018-12-17 14:18:03 +01:00
Florian Roth 99f773dcf6 Rule: false positive reduction in rule 2018-12-17 10:02:55 +01:00
Florian Roth 172236e130 Rule: updated ATT&CK tags in MavInject rule 2018-12-12 09:17:58 +01:00
Florian Roth 188d3a83b8 Rule: docs: reference update in MavInject rule 2018-12-12 08:37:00 +01:00
Florian Roth 6206692bce Merge pull request #212 from Neo23x0/commandline-issue 
Bugfix: wrong field for 4688 process creation events
 2018-12-12 08:24:07 +01:00
Florian Roth 49eb03cda8 Rule: MavInject process injection 2018-12-12 08:18:43 +01:00
Florian Roth b0cb0abc01 Bugfix: wrong field for 4688 process creation events 2018-12-11 16:10:15 +01:00
Florian Roth b5d78835b6 Removed overlapping rule with sysmon_office_shell.yml 2018-12-11 13:37:47 +01:00
Roberto Rodriguez a0486edeea Field-Index Mapping File & SIGMA Rules Field names fix 
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
 2018-12-11 09:27:26 +03:00
Thomas Patzke 68866433e8 Merge branch 'juju4-devel-sumo' 2018-12-10 22:37:58 +01:00
Thomas Patzke 4175d0cdd5 Fixed config and added index field 
* Added index field _index to backend implementation
* Fixed index values in config
 2018-12-10 22:37:39 +01:00
Thomas Patzke b520897176 Added CI testing for SumoLogic backend 2018-12-10 22:36:08 +01:00
Thomas Patzke 4e3f6c366b Merge pull request #208 from Cyb3rWard0g/master 
Elastalert-HELK integration Updates
 2018-12-10 22:13:37 +01:00
Roberto Rodriguez 93d1d700d4 Merge remote-tracking branch 'upstream/master' 2018-12-10 07:04:30 +03:00
juju4 1f707cb37c Adding Sumologic backend 2018-12-09 17:55:51 -05:00
Thomas Patzke 2091c90538 Fixed ElastAlert *_key options 
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
 2018-12-09 22:33:23 +01:00
Roberto Rodriguez 9567ce588d Merge remote-tracking branch 'upstream/master' 2018-12-09 09:27:43 +03:00
Roberto Rodriguez 8c577a329f Improve Rule & Updated HELK SIGMA Standardization Config 
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.

SIGMA HELK standardization config updated to match latest HELK Common Information Model
 2018-12-08 11:30:21 +03:00
Roberto Rodriguez a35f945c71 Update win_disable_event_logging.yml 
Description value breaking SIGMA Elastalert Backend
 2018-12-06 05:09:41 +03:00