30dcc28a1f
Cisco ASA FTD Exploit CVE-2020-3452
2021-01-07 13:17:58 +01:00
fa6f75f07e
Update sumologic.yml
...
The commit from vihreb on October 6, 2020 (https://github.com/Neo23x0/sigma/commit/51df5ad8764cd6896a3ef83ad388aebc136d5815 ) removed some items from the allowed fields list for the sumologic backend (https://github.com/Neo23x0/sigma/blob/51df5ad8764cd6896a3ef83ad388aebc136d5815/tools/sigma/backends/sumologic.py#L161 ) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."
I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.
Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
2020-12-28 16:46:32 -05:00
d1f7a206b9
Merge pull request #1289 from weslambert/master
...
Fix typo
2020-12-13 19:04:07 +01:00
ad899899ab
Updated winlogbeat.yml config to include OriginalFileName
2020-11-26 14:48:14 -05:00
3a7c114ca3
Fix field mapping for DestinationHostname
2020-11-26 04:17:28 +01:00
0ed54a6cae
Merge pull request #1290 from arollyson/helix_backend
...
Backend: FireEye Helix
2020-11-21 00:06:19 +01:00
83b8af6cd2
Add FirEye Helix backend
2020-11-19 11:18:28 -05:00
832e582b8d
Fix typo
2020-11-17 17:44:40 -05:00
9944c0e563
Merge branch 'master' into pr/1267
2020-11-17 14:33:55 +01:00
eed4fe04d5
added role name field to ecs-cloudtrail.
2020-11-13 05:59:55 +05:00
43b9b17767
Merge pull request #1281 from andurin/kibana-ndjson-configs
...
kibana-ndjson for all configs which already have kibana
2020-11-11 07:34:37 +01:00
7e742cc049
kibana-ndjson for all configs which already have kibana
2020-11-09 08:46:17 +01:00
bf5d40eec3
New Backend - Kibana NDJSON
...
Tested against 7.9.3
2020-11-05 23:34:25 +01:00
90e211bad8
Create ecs-suricata.yml
2020-11-01 21:21:04 -03:00
51df5ad876
Added:
...
Sumo Logic CSE Rule Backend
Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
2020-10-06 15:07:52 +03:00
64035fd799
initial commit for Netwitness-EPL backend
2020-09-10 17:12:12 +02:00
172f7b371e
Change mapped Image to path
2020-08-17 15:05:44 +07:00
7e6828dd40
+ Adding Mitre Sub-Techniques and python update script to fetch latest Pre, Enterprise & Mobile Tactics and Techniques from Mitre CTI
2020-08-13 10:24:44 +01:00
8352eefe22
STIX Support keywords (value without field)
2020-07-28 18:52:02 +03:00
de475bb500
updated STIX mapping for more rule fields
2020-07-27 14:36:30 +03:00
9643e01b54
extension should use '..'
2020-07-26 12:16:48 +03:00
5019f2f160
added mapping for stix web, cloud, linux
2020-07-22 21:41:46 +03:00
0543ec1ae3
mapping update, removed unused fields
2020-07-21 19:49:26 +03:00
83623f396c
Merge remote-tracking branch 'upstream/master'
2020-07-21 17:22:06 +03:00
da30266c60
ImageLoaded mapping added
2020-07-21 17:21:14 +03:00
94272c7770
Revert "Ref #933 - Added windows Process Creation to config"
...
This reverts commit 6c35a7afa0
2020-07-16 14:30:17 +02:00
6c35a7afa0
Ref #933 - Added windows Process Creation to config
2020-07-16 13:16:57 +02:00
6c999df3b7
Added AppLocker log source
2020-07-13 20:48:06 +00:00
8e3f973e69
Added AppLocker log source
2020-07-13 20:46:49 +00:00
bdfb646228
Added AppLocker log source
2020-07-13 20:45:30 +00:00
364af53902
Added AppLocker log source
2020-07-13 20:44:03 +00:00
326cf05a74
Added AppLocker log source
2020-07-13 20:41:54 +00:00
46a6183745
Added AppLocker log source
2020-07-13 20:32:03 +00:00
a58e037509
Added AppLocker log source
2020-07-13 20:30:02 +00:00
7fb2e2b845
Added AppLocker log source
2020-07-13 20:29:13 +00:00
e376948258
Added AppLocker log source
2020-07-13 20:27:52 +00:00
0d925896b9
Added AppLocker log source
2020-07-13 20:23:42 +00:00
c30a256030
Added AppLocker log source
2020-07-13 20:21:46 +00:00
1da229e3a9
Added AppLocker log source
2020-07-13 20:20:28 +00:00
3a19e3cf23
Added AppLocker log source
2020-07-13 20:18:01 +00:00
ca7cf8478d
- IntegrityLevel mapping to integritylevel
2020-07-08 19:37:24 +03:00
8855a87dbf
- TargetProcessAddress mapping should be as startaddress mapping
...
- remove extra '-'
2020-07-08 17:35:57 +03:00
8889ae21ca
DestinationPort to network-traffic:dst_port mapping fix
2020-07-08 14:31:04 +03:00
acbab2db4b
stix backend + mapping configurations for windows logs and qradar
2020-07-07 15:04:16 +03:00
c8ca55b3e4
fix: duplicate wrong old key
2020-07-06 17:14:59 +02:00
cc31ed8b84
fix: missing NTLM log source in THOR
2020-07-06 17:07:06 +02:00
939156fa6d
Introduced dns_query log source category
2020-07-05 23:29:51 +02:00
8b3b312c4e
Proposed fix for https://github.com/Neo23x0/sigma/issues/889
...
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
2020-07-03 16:28:19 -04:00
43e5ae5d24
Added Windows NTLM log source + fixes
2020-07-02 23:20:36 +02:00
9c0f9f398f
refactor: sysmon rule cleanup > generlization
2020-07-01 10:58:39 +02:00
Florian Roth