789dfb3f47
Merge pull request #1291 from lprat/fix_issue_1285
...
fix issue 1285
2020-12-30 23:06:38 +01:00
675d93ee3d
Replaced string comparison with isinstance
2020-12-30 22:50:13 +01:00
1bb0963784
Moved set_size option to class where it's used
2020-12-30 22:25:57 +01:00
7e6f01f611
elasticsearch backend: new parameter and fields support
2020-12-14 16:07:09 +01:00
97fcae56fd
Update sigmac.py
2020-12-06 20:08:00 +01:00
4a4d3e1d35
Update sigmac.py
2020-12-04 18:22:24 +01:00
a40ef7360d
Add sigmac flag to delimit results by NUL instead of \n
2020-12-04 18:05:23 +01:00
578d2f0585
Merge pull request #1283 from 404d/mdatp-fixes
...
mdatp: Mapping and generic event changes, case insensitive search
2020-11-29 21:56:17 +01:00
0ed54a6cae
Merge pull request #1290 from arollyson/helix_backend
...
Backend: FireEye Helix
2020-11-21 00:06:19 +01:00
7ca368d1ed
fix issue 1285
...
https://github.com/Neo23x0/sigma/issues/1285
2020-11-20 16:42:20 +01:00
83b8af6cd2
Add FirEye Helix backend
2020-11-19 11:18:28 -05:00
c0a7cdc3de
mdatp: Use case-insensitive searches by default
...
This sohuld match the draft Sigma specification as well as other backends
2020-11-12 14:09:30 +01:00
a75d4fb561
mdatp: Add more field mappings and table<->generic event mappings, skip IMPHASH as it's not supported
2020-11-12 13:15:38 +01:00
446b0b7f9d
Merge branch 'master_origin'
2020-11-11 12:32:53 +01:00
a58d04e4df
Rules: Support image_load
2020-11-11 12:31:55 +01:00
230562bdf6
Merge pull request #1278 from K-Yo/update-navigator-v4
...
Update navigator v4
2020-11-10 13:34:46 +01:00
c087e39698
Merge pull request #1277 from K-Yo/fix-unicode-error
...
Fix unicode error in sigma2attack
2020-11-10 13:34:05 +01:00
96e90fbff2
Fix recursion of rules
2020-11-06 12:43:52 +01:00
34f24a60a1
Updating attack navigator version to v4.0
2020-11-05 23:37:01 +01:00
bf5d40eec3
New Backend - Kibana NDJSON
...
Tested against 7.9.3
2020-11-05 23:34:25 +01:00
31639366cd
Fix unicode error in sigma2attack
2020-11-05 22:30:12 +01:00
f0e89b0c8c
Fixed: typecheck in sumologig-cse
2020-10-23 19:49:55 +02:00
2fb7dd5e99
Fixes
...
* Removed Splunk regex query
* Added test for sumologic-cse backend
2020-10-23 15:31:00 +02:00
9dc806448c
Merge branch 'master' of https://github.com/socprime/sigma into pr-1049
2020-10-23 14:57:25 +02:00
383823f49a
Fix: added default value of current_table
2020-10-21 10:12:17 +03:00
ca852eca0e
PR Review: Minor fixes
2020-10-21 08:54:50 +02:00
f45e45d736
Fix: Import SigmaRegularExpressionModifier in the splunk backend.
2020-10-20 18:13:53 +03:00
03ad9e22e1
Backend: uberAgent ESA converter backend
...
This commit adds the first version of the uberAgent ESA converter backend for sigma. This backend generates ESA compatible query rules for uberAgent ESA Activity Monitoring.
2020-10-20 13:23:05 +02:00
976fc92b22
Merge pull request #971 from alan8trend/parse_nested_parentheses
...
Add support nested parentheses for Sigma condition
2020-10-12 23:30:36 +02:00
e8cdd4777a
Merge pull request #1026 from ryanplasma/fix-pymisp-error
...
Fix error with pymisp in sigma2misp
2020-10-12 23:14:13 +02:00
51df5ad876
Added:
...
Sumo Logic CSE Rule Backend
Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
2020-10-06 15:07:52 +03:00
d3ee1aba66
docs: MITRE ATT&CK(R) trademark references removed or adjusted
...
https://github.com/Neo23x0/sigma/issues/1028
2020-09-30 08:53:52 +02:00
cdbee4b531
Fix error with pymisp in sigma2misp
2020-09-29 12:01:33 -04:00
378d9c94cf
Merge branch 'master' of https://github.com/socprime/sigma into pr-981
2020-09-15 12:14:49 +02:00
5119f887c8
add Regular expression support
...
Add Regular expression support for netwitness-epl backend
2020-09-14 22:04:47 +02:00
531557465c
delete raise exception in case of sigma key is keyword(s)
2020-09-14 16:00:03 +02:00
09f25cf992
delete sqlparse module usage
2020-09-10 19:05:55 +02:00
e74846b767
modify comment
2020-09-10 18:09:15 +02:00
64035fd799
initial commit for Netwitness-EPL backend
2020-09-10 17:12:12 +02:00
a2fec9f3b9
Fix sysmon backend
2020-08-28 12:26:40 +03:00
f21b3c50c6
control whether to use an analyzed field or different type if a query/value contains a wildcard.
...
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com >
2020-08-25 13:13:18 -04:00
a7ffb96b6b
elasticsearch regex escape of '.' for case insensitivity backend options
...
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com >
2020-08-25 13:10:25 -04:00
76910eaee4
fix sub field name usage if there are 3 or more fields..
...
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com >
2020-08-25 12:56:57 -04:00
0d713e4544
control whether to use an analyzed field or different type if a query/value contains a wildcard.
...
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com >
2020-08-25 12:56:33 -04:00
1921e9dd89
Fix wild card and some escaped characters
2020-08-18 15:57:13 +07:00
d3ba1e4fb8
Add sysmon backend
2020-08-18 11:20:22 +03:00
01125ffd3b
Fixed: Elastalert backend handling of conditional field mappings
2020-08-11 23:29:18 +02:00
e9af2fb119
support nested conditions for Sigma
...
The parser finds the close token in pairs with left token.
So the parser will support nested parentheses in the conditions.
2020-08-07 14:58:32 +08:00
8352eefe22
STIX Support keywords (value without field)
2020-07-28 18:52:02 +03:00
32cf352236
Merge remote-tracking branch 'upstream/master'
2020-07-26 14:56:06 +03:00
Thomas Patzke