security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
423 Commits 1 Branch 57 Tags
c8a66e48b6e701edef831bf00b5c32aaa6a3f5ea
Commit Graph

79 Commits

Author SHA1 Message Date
Thomas Patzke c8a66e48b6 sigmac: improved Kibana backend 
* added fields from rules
* default index if none is matching
 2017-09-16 00:39:37 +02:00
Thomas Patzke d3201229b0 sigmac: Fixed matching of log sources between rules and configuration 2017-09-16 00:32:31 +02:00
Thomas Patzke e5da26578d sigmac/kibana backend: index names from configuration 2017-09-11 00:30:01 +02:00
Thomas Patzke 77a3e7ed91 Code cleanup 2017-09-11 00:27:14 +02:00
Thomas Patzke be3c0cfb89 sigmac: Kibana backend, first version 
* totally untested!
* only supports searches
* no visualizations/aggregation expressions
* some fields are filled with default values (see code comments)
 2017-09-05 00:14:13 +02:00
Thomas Patzke c5fc74f440 Further backend changes 
* backends get complete SigmaParser objects instead of condition
* addition of finalize step for backends
* Renaming of output classes
 2017-09-04 00:56:04 +02:00
Thomas Patzke 39381305d8 sigmac: Generic Text File Output 
Moved output logic into generic class.
 2017-08-29 00:05:59 +02:00
Florian Roth edf2787402 Removed some spaces and added Win 10 WMI eventlog 2017-08-22 10:04:56 +02:00
Thomas Patzke 487ab99507 Changed sigmac error behavior on I/O errors 2017-08-07 08:54:18 +02:00
Thomas Patzke d84f9dcc1c Aggregation 'near' raises NotImplementedError in backends splunk and logpoint 2017-08-05 23:48:28 +02:00
Thomas Patzke f5b07dc9af Added semantic parsing of near expressions 2017-08-05 00:28:22 +02:00
Thomas Patzke d17604d007 Merge branch 'master' into travis-test 2017-08-03 00:11:08 +02:00
Thomas Patzke 5706361464 Parsing of "near ... within" aggregation operator 
* Operator is only parsed. No processing or passing of parsed data to
  backends.
* Changed rule sysmon_mimikatz_inmemory_detection.yml accordingly.
 2017-08-03 00:05:48 +02:00
Thomas Patzke 52525236a5 sigmac: added parameter to control error behavior 
* --defer-abort
* --ignore-not-implemented
 2017-08-02 00:56:22 +02:00
Thomas Patzke 3495bac9cb sigmac: return error codes 2017-07-31 00:31:49 +02:00
Ben de Haan 43c4486de0 Added LogPoint aggregation 
Added generateAggregation function for LogPoint
 2017-06-19 15:21:29 +02:00
Florian Roth c1f5bd1540 Sigmac bugfix: showing faulty condition 2017-06-12 10:07:15 +02:00
Thomas Patzke 9d49daecea Restructured backends 
Moved most logic into generic base class SingleTextQueryBackend which is
configured by class variables.
 2017-06-02 23:43:45 +02:00
Thomas Patzke 6a29884615 Structured backends module with comments 2017-05-26 23:42:49 +02:00
Thomas Patzke 998bb0079d Fixed Splunk config for sigmac again 2017-05-26 22:40:06 +02:00
Thomas Patzke 18a9fd18ef Fixed Splunk configuration 
Substituted source: with sourcetype:
 2017-05-26 00:13:30 +02:00
Florian Roth f66085b198 Added eventlog source DNS Server to configs 2017-05-08 13:09:17 +02:00
Thomas Patzke 05e9d1e1e9 Check if aggregation is present in BaseBackend 
Caused NotImplementedError in ElasticsearchQueryStringBackend.
 2017-04-17 00:11:20 +02:00
Ben de Haan dddb83393d Added field mappings for events with logins 2017-03-30 10:49:36 +02:00
Ben de Haan cb9a9bc2ff Added LogPoint conditional username mapping 
Conditional mapping of SubjectAccountName based on EventID. Not a comprehensive list, but should include most relevant Event IDs.
 2017-03-30 09:51:32 +02:00
Thomas Patzke c43166d5b9 Fixed log source configuration matching 2017-03-29 23:33:26 +02:00
Thomas Patzke a22fe58ac9 Aggregation support for Splunk backend 2017-03-29 23:18:47 +02:00
Thomas Patzke b62de742d7 Aggregation expression parsing 2017-03-29 23:17:43 +02:00
Thomas Patzke ae5ae8f763 Verbose mode prints tokens if parsing failed 2017-03-29 22:21:40 +02:00
Thomas Patzke 9698e8fdf7 Changed Logpoint SubjectAccountName mapping to conditional mapping 2017-03-25 00:27:29 +01:00
Thomas Patzke c978e19d88 Conditional field mappings 2017-03-25 00:21:44 +01:00
Thomas Patzke a4465ce844 Added 1:n field mapping 
MultiFieldMapping
 2017-03-24 00:58:11 +01:00
Thomas Patzke 5009794591 Changes to field mappings 
* Introduced field mapping objects
* moved mapping from backends into parse tree generation
  (SigmaParser.parse_definition)
 2017-03-24 00:48:32 +01:00
Florian Roth 7e180365ab PowerShell Classic Log in Splunk Config Example 2017-03-22 11:17:46 +01:00
Ben de Haan c3c405a95e LogPoint windows mapping 2017-03-20 16:57:19 +01:00
Thomas Patzke 1bf11dc471 Merge pull request #17 from benno001/master 
Fixed LogPoint list behaviour
 2017-03-20 08:58:16 +01:00
Ben de Haan c94b539b14 Fixed LogPoint list behaviour 2017-03-20 08:41:29 +01:00
Thomas Patzke d0bed75eb9 Added --output/-o parameter to sigmac 2017-03-18 23:15:03 +01:00
Florian Roth f34156138f Bugfix - Index 2017-03-18 13:57:42 +01:00
Florian Roth 8403e8072c Merge pull request #14 from benno001/master 
Added LogPoint backend
 2017-03-18 13:30:35 +01:00
Florian Roth f292a259a5 Adjusted Windows Splunk Config 2017-03-18 13:12:31 +01:00
Ben de Haan d18751a0ea Added LogPoint backend 2017-03-18 11:12:06 +01:00
Thomas Patzke 17c484163d Improved examples 2017-03-18 00:03:21 +01:00
Thomas Patzke b4f52d9cfb Windows index in Splunk example configuration 2017-03-17 23:30:11 +01:00
Thomas Patzke b865a858aa Generation of conditions for configured indices 2017-03-17 23:28:06 +01:00
Florian Roth dc00baacda Splunk Windows Configuration Example 2017-03-17 10:00:56 +01:00
Thomas Patzke d2a9a91175 Log source conditions are integrated in generated expressions 
Indices not yet included
 2017-03-14 23:22:32 +01:00
Thomas Patzke 52d7e9fc07 Parsing log sources in configuration files 2017-03-12 23:12:21 +01:00
Thomas Patzke 12e825783b Merge branch 'master' into devel-sigmac 2017-03-11 23:49:56 +01:00
Thomas Patzke 63e23af63c Merge branch 'devel-sigmac-config' into devel-sigmac 2017-03-11 23:49:41 +01:00