security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,877 Commits 1 Branch 57 Tags
d08ff35222c191598e784dc656b2b91ef979bd92
Commit Graph

249 Commits

Author SHA1 Message Date
Lep d08ff35222 postAPI 2019-11-28 11:45:49 +07:00
gsanm 150afd816d IP Clean 2019-10-22 17:49:50 +07:00
lep 1c5816b214 update carbonblack module 2019-10-18 17:51:31 +07:00
lep 7219e0b0f1 module carbonblack 2019-10-18 14:04:38 +07:00
agold 0984293d0c Support for Malicious cmdlets in ATP 2019-08-20 14:33:08 -07:00
svent 1ea6d00a39 Fix QRadar field name escaping and handling 2019-08-12 23:47:43 +02:00
Michiel Meersmans 0708fdd28e Correctly escape slashes within es-dsl wildcard queries 2019-08-07 12:56:19 +02:00
Florian Roth 9c85d5e80f Merge pull request #406 from tuckner/master 
Fix ala parsing issues
 2019-08-06 10:28:07 +02:00
Thomas Patzke 805c739611 Merge branch 'devel-modifiers' 2019-07-31 23:44:10 +02:00
Thomas Patzke 31c6ffcb61 No escaping for typed values 2019-07-31 23:43:29 +02:00
tuckner 8f2f1922c6 Merge pull request #1 from Neo23x0/master 
update fork
 2019-07-27 21:27:52 -05:00
Thomas Patzke 8a3117d73e Nested list handling for chained value modifiers 2019-07-16 23:03:19 +02:00
Thomas Patzke 6881967889 Further modifiers 
* base64
* base64offset
 2019-07-16 00:00:35 +02:00
Thomas Patzke 1bb29dca26 Implemented type modifiers and regular expressions 2019-07-15 22:52:10 +02:00
Thomas Patzke 5489f870cc Merge pull request #393 from HacknowledgeCH/master 
Explicit OR for list elements
 2019-07-13 23:11:44 +02:00
Thomas Patzke 134bfebe57 Ignore "timeframe" detection keyword in "all/any of" conditions 
Fixes #395
 2019-07-13 00:35:35 +02:00
christophetd 576912eb7a Support OR queries for Elasticsearch 6 and above 2019-07-08 17:12:53 +02:00
Florian Roth f7ba2b3976 fix: bug in sumologic backend with 'null' values 2019-07-02 22:31:10 +02:00
Thomas Patzke 337681cfce Value modifiers 
* First transformation modfiers: contains, all
* Sigma converter modifier list
 2019-06-30 23:41:28 +02:00
Thomas Patzke 6fab5d7f23 Improved testing and removed dead&debug code 2019-06-29 00:09:53 +02:00
Thomas Patzke 377872c91e Merge branch 'devel-sumo' of https://github.com/juju4/sigma into juju4-devel-sumo 2019-06-28 23:39:15 +02:00
Thomas Patzke 0c7151c901 Watcher backend default options, refactoring and testing 2019-06-28 23:22:16 +02:00
Adrian Constantin Stanila feac0be8a4 Added 2 more actions on Elasticsearch X-pack Watcher: index and webhook 
Added timestamp filter query.
 2019-06-27 08:54:59 +03:00
juju4 654a009c9e sumologic backend: remove TypeError 2019-06-22 16:49:46 -04:00
juju4 559d0f4ba8 sumologic backend: force as string 2019-06-22 16:43:50 -04:00
juju4 2df0e9765c sumologic backend: pycodestyle review - E501 2019-06-22 16:41:57 -04:00
juju4 49533a5909 sumologic backend: pycodestyle review 2019-06-22 16:39:13 -04:00
juju4 84de12635e self.debug option, fix multiple keyvalue escapings/cleanValue, inline index for now 2019-06-22 16:19:45 -04:00
juju4 a11d800353 Merge branch 'master' into devel-sumo 2019-06-22 09:18:23 -04:00
John Tuckner 3529b717cb fixed backend errors in ala 2019-06-10 09:25:59 -05:00
Thomas Patzke 673973e523 Merge pull request #357 from agix/es_dsl_bug 
fix missing condition when unique plus timeframe
 2019-05-30 22:42:09 +02:00
Thomas Patzke 8023011bb1 Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend 2019-05-30 22:33:57 +02:00
Florian GAULTIER 89c1d7b63d Wrong fix, self.queries should be emptied after copied to rule_object 2019-05-29 16:10:14 +02:00
Florian GAULTIER 748ac2e206 Dont combine multiple queries 2019-05-29 16:05:53 +02:00
Thomas Patzke 04d91573f3 Merge pull request #355 from agix/allow_empty_keyword 
Allow empty keyword_field
 2019-05-28 21:45:55 +02:00
Thomas Patzke 2ecc55c13f Merge pull request #351 from ipninichuck/master 
added metadata field to the watcher alert
 2019-05-28 21:42:27 +02:00
Florian GAULTIER d866e75750 Be sure there is a key in the single condition 2019-05-27 17:27:16 +02:00
Florian GAULTIER e8a7c5f7b9 fix missing condition when unique plus timeframe 2019-05-27 17:22:28 +02:00
Florian GAULTIER 6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Florian GAULTIER 4168c0ec64 Allow empty keyword_field 2019-05-27 15:08:33 +02:00
Thomas Patzke eb9564557e Moved generic class discovery code into new tools module 2019-05-26 22:29:07 +02:00
Thomas Patzke 84690280c5 Improved behavior on missing configuration 
Listing all configus usable with chosen backend
 2019-05-24 22:41:47 +02:00
ipninichuck 75ec169d5c added metadata field to the watcher alert 
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
 2019-05-22 04:30:47 -07:00
Thomas Patzke 194afa739f Generate rule name for each condition 
In backends kibana and xpack-watcher.

Fixes #329
 2019-05-21 00:36:19 +02:00
Thomas Patzke af0bd1b082 Removed debug code from backend option handling 
Additionally: code simplification
 2019-05-21 00:21:52 +02:00
Thomas Patzke 7e163d71eb Added option to use old URL in xpack-watcher backend 2019-05-21 00:01:21 +02:00
Thomas Patzke 4e63e925cf Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1 2019-05-20 23:43:49 +02:00
Thomas Patzke e271484eef Load configurations via new config management 2019-05-20 00:27:35 +02:00
Thomas Patzke 3d20e0bc98 Sigma configuration management with listing 
Missing:
* Use config by identifier
 2019-05-17 09:13:59 +02:00
Thomas Patzke 71ff6bd943 Catch type errors in configuration handling 2019-05-16 23:34:44 +02:00