security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,089 Commits 1 Branch 57 Tags
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
Commit Graph

1531 Commits

Author SHA1 Message Date
David Hazekamp 323298ba91 fix(backend): use subexp when OR list items 2022-06-03 14:54:35 -05:00
Maxime Lamothe-Brassard 3fdaf8b9f1 Support alternate case for OriginalFileName. 2022-05-27 11:01:22 -07:00
Florian Roth 662c13a720 Merge pull request #3035 from redsand/hawk_backend_cfg_update 
Backend: adding additional entries to hawk.yml
 2022-05-24 12:33:11 +02:00
Tim Shelton b339901806 Backend: because hawk splits up SYSTEM and NT AUTHORITY, additional treatment is needed on some rules 2022-05-23 23:52:52 +00:00
Tim Shelton 6ca03d741b adding additional file hash column translation 2022-05-23 21:11:34 +00:00
Tim Shelton 605a0bc678 Backend: adding additional entries to hawk.yml 2022-05-23 18:46:50 +00:00
tr0mb1r ab7d7dbed8 Update sysmon.yml 
typo in config
 2022-05-20 13:47:18 +04:00
Thomas Patzke 01ffec65fe Merge pull request #2994 from ablescia/feat-hedera_backend 
Hedera Backend - C# dynamic LINQ
 2022-05-18 23:23:51 +02:00
Tim Shelton 232fd9ad17 removing duplicate 2022-05-10 13:19:22 +00:00
Tim Shelton ad727e11e9 adding additional zeek categories to sort out false positive matching 2022-05-10 03:39:16 +00:00
Tim Shelton c64197233d fixing error in translation 2022-05-10 02:19:23 +00:00
Tim Shelton 50a4a02364 adding additional field with ip_src as initial cardinal 2022-05-10 01:51:37 +00:00
Tim Shelton 8674e26218 adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example 2022-05-10 01:50:46 +00:00
Tim Shelton 278e825794 fixing hawk backend fields for zeek. wrong character 2022-05-10 01:45:17 +00:00
Tim Shelton 0709758651 Adding updates for zeek, as well as some missing sections for windows. internal review of rules will continue. 2022-05-09 23:23:35 +00:00
Tim Shelton 6aa0064c28 adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples 2022-05-09 23:23:07 +00:00
Antonio Blescia feca339bfc created hedera backend file 2022-05-08 15:59:14 +02:00
Tim Shelton bd51eb4c72 adding additional filter for string 2022-05-04 15:27:23 +00:00
Tim Shelton ad003de3fb Fixing mismatch of sigs when using system/app/security and additional matching against provider name 2022-05-04 14:58:02 +00:00
tungnd27 9d7a7f7896 Add StreamAlert backend 2022-05-03 17:32:19 +07:00
Sven Scharmentke 616dce35e2 Implemented RuleId property & use Generic fields as they are matched. 2022-05-03 01:08:12 +02:00
Sven Scharmentke 0d2189cfa2 Merge branch 'SigmaHQ:master' into feature/ame-6.3 2022-05-03 00:02:13 +02:00
Thomas Patzke f6ec8de586 Modifier support for conditional expressions 2022-05-02 23:22:16 +02:00
Thomas Patzke 512dad2185 Removed debugging code 2022-05-02 00:43:42 +02:00
Thomas Patzke 9ee0d29d68 Windash modifier 2022-05-02 00:38:21 +02:00
Thomas Patzke 58dea50656 Fix: Subexpression with OR instead of OR 2022-05-01 23:17:33 +02:00
Thomas Patzke 184b6bb244 Wrapping base64offset modified expansion group into ConditionOR 2022-05-01 23:07:25 +02:00
Tim Shelton 102a45a215 adding support for terminal services-localsessionmanager 2022-04-29 14:29:05 +00:00
Florian Roth f695443c4c Merge pull request #2969 from SigmaHQ/new-source-terminalservices 
New source terminalservices
 2022-04-29 13:25:12 +02:00
Florian Roth 43f3a31d19 feat: new service definition - terminal services 2022-04-29 12:26:26 +02:00
Tim Shelton eb0bcd7c9f updating hawk field translation, and bug when an author field is not present in a sig 2022-04-28 19:54:00 +00:00
secops4thewin 4442bb6982 Removed empty line 2022-04-28 13:18:11 +10:00
secops4thewin 9275d33ab2 Add timeframe to search for Devo 
Modified search to include a timeframe option.
 2022-04-28 13:14:41 +10:00
Tim Shelton 3f08d37a0e adding linux-auditd support and alignment 2022-04-20 14:31:32 +00:00
Sven Scharmentke 671a75ba3f Merge branch 'SigmaHQ:master' into feature/ame-6.3 2022-04-20 12:19:40 +02:00
Tim Shelton 83ece8c9ca adding missing file_ entries 2022-04-13 15:57:54 +00:00
Tim Shelton bca687a1ad adding a couple more missing entries 2022-04-13 15:15:15 +00:00
Tim Shelton 500c97020f Backend: updating hawk backend config, still pending file_rename and other file_ categories 2022-04-13 14:38:18 +00:00
Sven Scharmentke c7a2cf1abf Add more entries to exclusion configuration. 2022-04-13 15:53:19 +02:00
Sven Scharmentke a73697c184 Merge branch 'master' into feature/ame-6.3 2022-04-11 14:07:33 +02:00
Sven Scharmentke 41ce8dcbfb Implemented backend configuration to exclude certain rules during generation. 2022-04-11 14:02:11 +02:00
DustInDark 1a7e03c96b changed windows-bits-client Channel 
windows-bits-client tag converted `WinEventlog:Microsoft-Windows-Bits-Client/Operational` but other channel is not add `WinEventLog:`.

Removed "WinEventlog" to unify with other channel conversions.

ex: https://answers.microsoft.com/en-us/windows/forum/all/unknown-events-in-windowsbits-clientoperational/c0856f82-44a2-4998-9a3b-9d6eda328136
 2022-04-10 21:18:53 +09:00
Thomas Patzke 4028610580 Release 0.21 2022-04-09 00:49:38 +02:00
Tim Shelton 0a9d8fd614 Fixing missed entry for registry_set 2022-03-30 15:56:31 +00:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
frack113 627843d73f New registry category mapping 2022-03-26 19:36:46 +01:00
frack113 33e29b55bf New registry category 2022-03-26 19:05:38 +01:00
frack113 f1b8bc9479 Registry_add 2022-03-26 11:56:39 +01:00
frack113 fbc9e8c2df Update new registry category 2022-03-26 11:46:52 +01:00
frack113 6836d64a14 Fix space 2022-03-26 11:33:30 +01:00