046510f021
updated HELK Destination IP name
2019-02-05 13:11:06 -05:00
a276d3083d
DHCP log source in sigmac configs
2019-02-05 14:35:23 +01:00
6215a694a8
Remove escaping from '\\*' in es-dsl backend
2019-02-02 23:51:11 +01:00
8a0784ad33
Fixed escaping of \\*
2019-02-02 00:18:58 +01:00
516bfc88ff
Added rule: RDP login from localhost
2019-01-28 22:43:22 +01:00
8336b47530
Merge branch 'master' of https://github.com/Neo23x0/sigma
2019-01-14 22:12:37 +01:00
cc4b806b94
Sigma tools release 0.7.1
2019-01-14 00:26:03 +01:00
5cba0b9946
Merge pull request #223 from m0jtaba/master
...
extending the qradar backend to allow for timeframe query
2019-01-13 23:55:55 +01:00
aa37ef2559
extending the qradar backend to allow for timeframe query
2019-01-11 03:33:49 +00:00
44f18db80d
Fix YAML errors reported by yamllint
...
Especially the config for ArcSight, that was invalid:
tools/config/arcsight.yml
89:5 error duplication of key "product" in mapping (key-duplicates)
90:5 error duplication of key "conditions" in mapping (key-duplicates)
rules/windows/builtin/win_susp_commands_recon_activity.yml
10:9 error too many spaces after colon (colons)
2019-01-10 09:51:39 +01:00
73b0c3a25b
Fixed wildcard issue for es-dsl backend
...
Moved field mapping code into mixin shared by es-qs and es-dsl.
2018-12-21 14:10:45 +01:00
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master
...
Field-Index Mapping File & SIGMA Rules Field names fix
2018-12-19 00:38:06 +01:00
ffd43823cf
Fixed wildcard issue in es-qs backend and depending
...
See GitHub issue #194 . Fix for es-dsl is pending.
2018-12-19 00:33:12 +01:00
a0486edeea
Field-Index Mapping File & SIGMA Rules Field names fix
...
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
2018-12-11 09:27:26 +03:00
68866433e8
Merge branch 'juju4-devel-sumo'
2018-12-10 22:37:58 +01:00
4175d0cdd5
Fixed config and added index field
...
* Added index field _index to backend implementation
* Fixed index values in config
2018-12-10 22:37:39 +01:00
93d1d700d4
Merge remote-tracking branch 'upstream/master'
2018-12-10 07:04:30 +03:00
1f707cb37c
Adding Sumologic backend
2018-12-09 17:55:51 -05:00
2091c90538
Fixed ElastAlert *_key options
...
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
2018-12-09 22:33:23 +01:00
8c577a329f
Improve Rule & Updated HELK SIGMA Standardization Config
...
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.
SIGMA HELK standardization config updated to match latest HELK Common Information Model
2018-12-08 11:30:21 +03:00
246ad7c59a
Revert "Fixed wildcards in es-qs backend"
...
This reverts commit 49d464f979#194 broke the generation of many other rules,
see #203 .
2018-12-05 09:07:07 +01:00
f9d9d653dc
Merge pull request #199 from sisecbe/patch-1
...
Distinct count in aggragation function
2018-12-04 23:42:16 +01:00
2bf0170956
Merge pull request #202 from tuckner/master
...
Fixed backslash escape
2018-12-03 22:22:53 +01:00
2c5c92ab0a
fixed backslash escape
2018-12-03 15:09:29 -06:00
0a5caae5df
Merge branch 'master' of https://github.com/lsoumille/sigma into lsoumille-master
2018-11-28 23:53:15 +01:00
99e0a4defb
fix: SPARK config duplicate identifier
2018-11-27 14:05:13 +01:00
50c74b94bc
add elastalert backend support
2018-11-23 20:39:15 +01:00
c848c473a3
Error when empty fields attribute
2018-11-23 15:37:42 +01:00
31eae25756
Indentation error
2018-11-23 15:20:17 +01:00
e43909678e
Added the fields attribute parser
...
Make a table with the fields present in the fields attribute
2018-11-23 15:11:12 +01:00
c2eb87133d
Distinct count in aggragation function
...
Added dc() instead of count() when group-by field is present. Because count() doesn't do a distinct count in Splunk. Must be the dc() function instead.
2018-11-23 15:04:08 +01:00
aa1a953a65
Moved node dumping code to generic location
2018-11-21 23:22:38 +01:00
26d888aec3
Removed "not null" handling code
...
Feature was removed some time ago.
2018-11-21 22:56:48 +01:00
9e28669c33
Backend es-qs return quotes on empty or whitespace-only string
2018-11-21 22:29:12 +01:00
49d464f979
Fixed wildcards in es-qs backend
2018-11-20 23:23:54 +01:00
396a030ed1
Removed duplicate code
2018-11-07 22:52:12 +01:00
116a0e9f03
Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master
2018-11-07 22:27:41 +01:00
5053cc4e95
Fixed optimizing of not conditions with subexpressions
...
Optimization pass traversal is cut at ConditionNOT nodes.
2018-11-07 13:54:45 +01:00
a88b1e81ec
Optimizer debugging code cleanup
...
* Removed commented debugging code
* Output to stdin
* Coverage exception for _dumpNode
2018-11-07 13:49:08 +01:00
ca6ba4a85b
Added NetWitness backend and tests
2018-10-31 14:24:14 -05:00
26f73d60fa
Added NetWitness backend and tests
2018-10-31 14:07:59 -05:00
eacfaa7460
Check for forbidden null values in list items in Splunk backend
2018-10-27 01:07:03 +02:00
423a73efd5
Dropped .py suffix
2018-10-22 23:02:05 +02:00
b2d6d73034
Added requirements
2018-10-22 22:43:59 +02:00
16e3838a90
Renamed script
2018-10-19 21:23:33 +02:00
6b14930302
Recursive path traversal
2018-10-19 21:21:33 +02:00
67b416379f
Improved import of multiple rules
2018-10-19 19:53:00 +02:00
0cc8b77307
Merge branch 'master' of https://github.com/pivotforensics/sigma into pivotforensics-master
2018-10-18 15:56:26 +02:00
e501c4a5b9
Added additional output type 'json' to the xpack-watcher backend which prints each watcher as compress json, one watcher per line
2018-10-17 10:38:56 +02:00
5b33713ef8
Quick fix for string formatting bug
2018-10-13 20:21:37 -05:00
neu5ron