150afd816d
IP Clean
2019-10-22 17:49:50 +07:00
1c5816b214
update carbonblack module
2019-10-18 17:51:31 +07:00
7219e0b0f1
module carbonblack
2019-10-18 14:04:38 +07:00
826c1e3942
Fix QRadar backend config
2019-08-12 23:47:43 +02:00
b9ff280209
Cleanup of configuration names
2019-07-14 00:50:15 +02:00
161965d14c
Added version information to Winlogbeat configs
2019-06-30 22:44:12 +02:00
74021d53d8
Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes
...
ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html
2019-06-30 12:13:21 +02:00
f4da0c5540
Added field SecurityID to Winlogbeat config
2019-06-19 23:35:50 +02:00
fdce7ad9bf
Addition of KeyLength field
2019-06-14 17:58:47 +03:00
5715413da9
Usage of Channel field name in ELK Windows config
2019-06-11 13:15:43 +02:00
6bf010fb4b
introduce elastalert-dsl
...
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
2019-05-27 17:18:19 +02:00
11ed7e7ef8
Check for valid configuration/backend combinations
2019-05-20 01:00:33 +02:00
36aeb19721
Added title to all configurations
2019-05-16 23:33:51 +02:00
8cf505fcb3
Accidentally removed windows-dhcp logsource in spark's config file
2019-04-25 08:23:48 +02:00
79f7edb6b4
Added logsources for generic sigma rules to spark config, renamed spark config to thor config
2019-04-25 08:15:50 +02:00
6918784e87
Configuration order checking
2019-04-23 00:54:10 +02:00
c922f7d73f
Merge branch 'master' into project-1
2019-02-26 00:24:46 +01:00
004497075d
fix: spark source config bug
2019-02-12 23:27:38 +01:00
046510f021
updated HELK Destination IP name
2019-02-05 13:11:06 -05:00
a276d3083d
DHCP log source in sigmac configs
2019-02-05 14:35:23 +01:00
516bfc88ff
Added rule: RDP login from localhost
2019-01-28 22:43:22 +01:00
3eaf83cf5a
Improved configurations
...
Added Security/4688 field mappings
2019-01-16 23:37:18 +01:00
ba64f485ac
Added generic Windows audit log configuration
2019-01-16 22:41:42 +01:00
a9cf14438c
Merge branch 'master' into project-1
2019-01-14 22:36:15 +01:00
5cba0b9946
Merge pull request #223 from m0jtaba/master
...
extending the qradar backend to allow for timeframe query
2019-01-13 23:55:55 +01:00
aa37ef2559
extending the qradar backend to allow for timeframe query
2019-01-11 03:33:49 +00:00
44f18db80d
Fix YAML errors reported by yamllint
...
Especially the config for ArcSight, that was invalid:
tools/config/arcsight.yml
89:5 error duplication of key "product" in mapping (key-duplicates)
90:5 error duplication of key "conditions" in mapping (key-duplicates)
rules/windows/builtin/win_susp_commands_recon_activity.yml
10:9 error too many spaces after colon (colons)
2019-01-10 09:51:39 +01:00
a0486edeea
Field-Index Mapping File & SIGMA Rules Field names fix
...
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
2018-12-11 09:27:26 +03:00
68866433e8
Merge branch 'juju4-devel-sumo'
2018-12-10 22:37:58 +01:00
4175d0cdd5
Fixed config and added index field
...
* Added index field _index to backend implementation
* Fixed index values in config
2018-12-10 22:37:39 +01:00
1f707cb37c
Adding Sumologic backend
2018-12-09 17:55:51 -05:00
8c577a329f
Improve Rule & Updated HELK SIGMA Standardization Config
...
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.
SIGMA HELK standardization config updated to match latest HELK Common Information Model
2018-12-08 11:30:21 +03:00
99e0a4defb
fix: SPARK config duplicate identifier
2018-11-27 14:05:13 +01:00
26f73d60fa
Added NetWitness backend and tests
2018-10-31 14:07:59 -05:00
a61b3d352a
Added test cases
...
* Generic log sources
* Splunk index queries
2018-10-15 15:24:18 +02:00
7e184f01c6
Removing invalid fieldmapping
2018-10-13 19:53:39 -05:00
c66b00356d
Add initial version of PowerShell backend
...
* Add PowerShell backend
* Add PowerShell config file
State: Work in progress :)
See https://github.com/Neo23x0/sigma/issues/94
2018-09-23 21:41:48 +02:00
1d12fc290c
Added Winlogbeat configuration
2018-09-20 12:08:11 +02:00
d81946df39
Stacked configurations
...
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration
Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
2018-09-12 23:40:22 +02:00
9a61f40cef
added support flor flow data in qradar backend
2018-08-16 21:44:17 -07:00
320bb9f8c4
Added rewrite config to generic sysmon configuration
2018-08-14 21:34:54 +02:00
430972231f
Added generic sysmon configuration with process_execution config
2018-08-14 21:34:54 +02:00
b5f27d75be
Added Qradar backend
2018-07-17 15:25:06 +03:00
2a74a62c67
Config file for SPARK scanner
2018-06-29 16:42:16 +02:00
7edd95744a
Windows NTLM
2018-06-13 00:08:46 +02:00
d13e8d7bd3
Added ArcSight & Qualys backends
2018-06-07 16:18:23 +03:00
65cc78f9e8
Windows Config Update - DNS logs
2018-05-22 16:59:58 +02:00
17c1c1adff
Added field name mappings to HELK configuration
2018-03-27 14:41:02 +02:00
a3e02ea70f
Various rule fixes
...
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
e162ba0155
Added HELK configuration
2018-03-16 23:42:31 +01:00
gsanm