a67ab607a1
feat: add Microsoft-Windows-LDAP-Client/Debug provider
2022-11-15 11:39:42 +01:00
a605380279
fix: fix broken mapping
2022-11-15 11:39:28 +01:00
2f5fe64099
Update service to openssh
2022-10-25 20:01:02 +02:00
9b7af82e23
Add OpenSSH/Operational
2022-10-25 19:07:53 +02:00
14c08635ef
Add PowerShellCore Channel
2022-10-19 00:07:09 +02:00
40f64a6b69
fix: unneeded fieldmapping for THOR/Aurora
2022-10-12 16:17:18 +02:00
85d33e4af9
Merge pull request #3525 from vastlimits/feature/ame-7.0
...
Updated uberAgent backend to support version 7.0.
2022-10-06 06:42:57 +02:00
febeadfb4c
BACKEND: updating production config
2022-10-05 19:43:39 +00:00
652447696b
Update datadog sigmac
2022-09-28 08:30:03 -04:00
979502921f
define security-mitigations service
2022-09-28 06:23:50 +09:00
5d9edbbb28
Merge remote-tracking branch 'origin/master' into feature/ame-6.3
2022-09-27 09:48:24 +02:00
dd1fed29a0
Add shell-core service
2022-09-27 06:36:01 +02:00
048de3fc81
add diagnosis-scripted to windows services file
2022-09-27 10:43:38 +09:00
119cfe9558
fix: missing WinEventLog prefix for splunk/thor logsources
2022-08-23 11:50:15 +02:00
fbc7519b94
Merge pull request #3385 from nasbench/nasbench-rule-devel
...
Update Sysmon Config
2022-08-17 09:29:54 +02:00
4abd506a4c
Merge pull request #3387 from redsand/backend_hawk_config_update_before_pysigma_migration
...
Backend: hawk. last update to config until pySigma migration (hopefully)
2022-08-16 22:13:29 +02:00
726406f64d
Backend: hawk. last udpate to config until pySigma migration (hopefully)
2022-08-16 19:58:16 +00:00
f37fd2375b
Update config
2022-08-16 20:18:46 +01:00
d5133bcdd7
Update Sysmon
2022-08-16 19:47:44 +01:00
6407089a40
Change service to diagnosis scripted
2022-08-15 12:45:12 +01:00
d09037c9ad
Add 2 New EventLog Sources
...
- Microsoft-Windows-Shell-Core/Operational
- Microsoft-Windows-Diagnosis-Scripted/Operational
2022-08-14 21:38:36 +01:00
8041ab5130
Merge pull request #3325 from nasbench/nasbench-rule-devel
...
Update+New Rules
2022-08-05 23:42:09 +02:00
f2bec5c6af
Update provider + rules
2022-08-04 21:58:07 +01:00
a073590c2f
Add Security-Mitigations-User Mode log
2022-08-04 13:44:55 +01:00
b3088d45b4
Merge branch 'master' into feature/ame-6.3
2022-08-04 09:43:23 +02:00
b9e78e4656
mitre_update: updates resulting json to current state
2022-08-03 14:05:34 -05:00
3f402e3007
Merge pull request #3304 from d4rk-d4nph3/master
...
Added rule for Defender DLL sideloading
2022-08-03 10:46:37 +02:00
5f0347d94d
Backend: adjusting http_path to match, along with expanding event_channel, since channel key has collisions
2022-08-02 23:39:49 +00:00
87a0c9e1b9
Merge branch 'master' into master
2022-08-02 18:10:24 +02:00
afa0d77025
refactor: adding new channel to all backends
2022-08-02 18:08:29 +02:00
4bbc1bc119
Support for Security-Mitigations provider
2022-08-02 13:32:22 +05:45
b39ec30d06
Backend: hawk update to support boolean comparison values and some column translation updates
2022-07-29 13:56:15 +00:00
381c26fd94
Fix issue with using source: on Zeek files log
...
Line 407 was `source: id.orig_h` so that people could use the word `source` as an alias to `id.orig_h`, however there is a literal field with the name `source` in the `files.log` for Zeek, so having a Sigma query with something like `source: 'SMTP'` would yield `id.orig_h='SMTP'` in the resulting Splunk translation, which is incorrect. It should be `source='SMTP'`
Commenting out line 407 fixes this.
2022-07-19 15:16:20 -05:00
4625d8fb6c
Merge branch 'SigmaHQ:master' into dnif-backend
2022-07-13 17:30:17 +05:30
955b3dc66b
fix: missing Defender eventlog in splunk config
2022-07-06 12:41:34 +02:00
b80448a0e7
added new backend for DNIF queries
2022-06-30 13:03:54 +05:30
227eefc985
Merge pull request #3128 from f-block/patch-2
...
ProviderName seems to be wrong
2022-06-14 20:58:11 +02:00
e10a9f0257
Re-added powershell related "ProviderName" mapping
2022-06-14 20:48:36 +02:00
1e0a9fd8c1
Mapping name "Provider_Name" instead of "ProviderName"
...
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).
Instead, the identifier `Provider_Name` is used.
2022-06-14 18:17:35 +02:00
06234d831d
ProviderName seems to be wrong
...
`ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.
2022-06-14 17:45:36 +02:00
b6ecf5cffd
Fixes typo for TargetServerName mapping
2022-06-14 17:40:33 +02:00
4d7d0b3235
backend - updating hawk backend with additional translations
2022-06-08 19:04:37 +00:00
6ca03d741b
adding additional file hash column translation
2022-05-23 21:11:34 +00:00
605a0bc678
Backend: adding additional entries to hawk.yml
2022-05-23 18:46:50 +00:00
ab7d7dbed8
Update sysmon.yml
...
typo in config
2022-05-20 13:47:18 +04:00
232fd9ad17
removing duplicate
2022-05-10 13:19:22 +00:00
ad727e11e9
adding additional zeek categories to sort out false positive matching
2022-05-10 03:39:16 +00:00
278e825794
fixing hawk backend fields for zeek. wrong character
2022-05-10 01:45:17 +00:00
0709758651
Adding updates for zeek, as well as some missing sections for windows. internal review of rules will continue.
2022-05-09 23:23:35 +00:00
ad003de3fb
Fixing mismatch of sigs when using system/app/security and additional matching against provider name
2022-05-04 14:58:02 +00:00
Nasreddine Bencherchali