fbeb32e24f
fix: broken winlogbeat bitlocker config
2023-01-17 19:13:33 +01:00
e5fe4d5f46
feat: update config files
...
- Update indentation of config files to 4
- Add new event logs
2023-01-17 01:00:24 +01:00
c7f1f52b7b
fix: apply suggestions from code review
2023-01-13 18:19:32 +01:00
deeac89f36
Add lsa-server
2023-01-13 17:56:02 +01:00
acf4a404d5
feat: add Microsoft-Windows-AppXDeploymentServer/Operational
2023-01-11 22:23:52 +01:00
9b550f6858
Add win_vhdmp_mount_iso
2023-01-09 10:19:41 +01:00
3bd12552bb
feat: add bitlocker channel
2023-01-02 22:19:32 +01:00
a67ab607a1
feat: add Microsoft-Windows-LDAP-Client/Debug provider
2022-11-15 11:39:42 +01:00
2f5fe64099
Update service to openssh
2022-10-25 20:01:02 +02:00
9b7af82e23
Add OpenSSH/Operational
2022-10-25 19:07:53 +02:00
14c08635ef
Add PowerShellCore Channel
2022-10-19 00:07:09 +02:00
6407089a40
Change service to diagnosis scripted
2022-08-15 12:45:12 +01:00
d09037c9ad
Add 2 New EventLog Sources
...
- Microsoft-Windows-Shell-Core/Operational
- Microsoft-Windows-Diagnosis-Scripted/Operational
2022-08-14 21:38:36 +01:00
f2bec5c6af
Update provider + rules
2022-08-04 21:58:07 +01:00
a073590c2f
Add Security-Mitigations-User Mode log
2022-08-04 13:44:55 +01:00
afa0d77025
refactor: adding new channel to all backends
2022-08-02 18:08:29 +02:00
227eefc985
Merge pull request #3128 from f-block/patch-2
...
ProviderName seems to be wrong
2022-06-14 20:58:11 +02:00
e10a9f0257
Re-added powershell related "ProviderName" mapping
2022-06-14 20:48:36 +02:00
1e0a9fd8c1
Mapping name "Provider_Name" instead of "ProviderName"
...
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).
Instead, the identifier `Provider_Name` is used.
2022-06-14 18:17:35 +02:00
06234d831d
ProviderName seems to be wrong
...
`ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.
2022-06-14 17:45:36 +02:00
b6ecf5cffd
Fixes typo for TargetServerName mapping
2022-06-14 17:40:33 +02:00
43f3a31d19
feat: new service definition - terminal services
2022-04-29 12:26:26 +02:00
213f7fff5c
refactor: make antivirus a category
2022-03-24 11:59:33 +01:00
53651cdd2f
Add Bits-Client rules
2022-03-03 06:27:00 +01:00
8cfab22acb
Add firewall-as basic rules
2022-02-19 10:18:49 +01:00
68f0cdf338
feat: new log channel windows-codeintegrity-operational
...
https://twitter.com/SBousseaden/status/1483810148602814466
2022-01-20 09:44:36 +01:00
6ccff2cff5
Added support for threshold rules
2021-08-18 18:15:18 -07:00
faba4f481b
initial commit
2021-08-05 18:50:18 -07:00
d2592ee0b6
Add yamllint to GHA
...
Signed-off-by: Gábor Lipták <gliptak@gmail.com >
2021-07-26 21:26:16 -04:00
bdb77780b3
Update winlogbeat.yml
...
Change Imphash's value as current one does not exist without the Sysmon processor module under Winlogbeat.
2021-07-10 11:37:36 +08:00
4e3b275056
Fix more windows fields name
2021-07-07 12:28:00 +02:00
5c9ca35bb6
Add the last missing
2021-07-07 09:10:50 +02:00
e76f30d59c
Add some missing fields mapping
2021-07-06 15:56:33 +02:00
825ff5520b
Merge pull request #1597 from SigmaHQ/rule-devel
...
config: add PrintService Operational
2021-07-01 10:27:43 +02:00
63f3fd7e73
config: add PrintService Operational
2021-07-01 09:55:15 +02:00
19962c6fe4
Merge pull request #1590 from SigmaHQ/rule-devel
...
config: mappings for Microsoft print service
2021-06-30 14:50:52 +02:00
a49bfb14dd
refactor: Admin log - not Operational
2021-06-30 14:22:40 +02:00
26cfbb9c34
config: mapping for Microsoft SMBClient service - security
2021-06-30 14:16:26 +02:00
8262a1d98b
config: mappings for Microsoft print service
2021-06-30 14:09:44 +02:00
bf98f43850
Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID
2021-06-01 10:47:17 +02:00
aa34ff8e3c
Addition of System channel for more accurate detection
2021-05-30 09:27:08 +02:00
3926e2388f
Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html
2021-05-04 15:23:47 -04:00
3fd396f4db
Updated winlogbeat configuration file to support File Product details
2021-03-30 13:21:14 -04:00
3c5624ca88
Update winlogbeat.yml
...
add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml
2021-03-15 23:54:28 +08:00
2971a08734
Update winlogbeat.yml
...
add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.
2021-03-15 23:01:07 +08:00
e1f43f17c2
fixed various spelling errors all over rules and source code
2021-02-24 14:43:13 +00:00
ad899899ab
Updated winlogbeat.yml config to include OriginalFileName
2020-11-26 14:48:14 -05:00
7e742cc049
kibana-ndjson for all configs which already have kibana
2020-11-09 08:46:17 +01:00
94272c7770
Revert "Ref #933 - Added windows Process Creation to config"
...
This reverts commit 6c35a7afa0
2020-07-16 14:30:17 +02:00
6c35a7afa0
Ref #933 - Added windows Process Creation to config
2020-07-16 13:16:57 +02:00
Nasreddine Bencherchali