118e8af738
Simplified rule collection
2017-11-01 10:00:35 +01:00
732f01878f
Sigma rule collection YAML action documents
2017-11-01 00:17:55 +01:00
d0b2bd9875
Multiple rules per file
...
* New wrapper class SigmaCollectionParser parses all YAML documents
contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
2017-10-31 23:06:18 +01:00
5743e25931
Added logging framework
2017-10-31 22:13:20 +01:00
9d96a998d7
Merge pull request #56 from juju4/CAR-2013-05-002b
...
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
2017-10-30 00:27:56 +01:00
720c992573
Dropped within keyword
...
Covered by timeframe attribute.
Fixes issue #26 .
2017-10-30 00:25:56 +01:00
25ba2c81ad
Merge branch 'juju4-CAR-2013-04-002b'
2017-10-30 00:15:43 +01:00
c865b0e9a8
Removed within keyword in rule
2017-10-30 00:15:01 +01:00
0df60fe004
Merge branch 'CAR-2013-04-002b' of https://github.com/juju4/sigma into juju4-CAR-2013-04-002b
2017-10-30 00:13:21 +01:00
27227855b5
Merge branch 'devel-sigmac'
2017-10-29 23:59:49 +01:00
012cb6227f
Added proper handling of null/not null values
...
Fixes issue #25
2017-10-29 23:57:39 +01:00
4b64fc1704
double quotes = escape
2017-10-29 14:42:40 -04:00
07185247cb
double quotes = escape
2017-10-29 14:32:52 -04:00
f5f20c3f75
Admin user remote login
2017-10-29 14:30:11 -04:00
19dd69140b
Detects Suspicious Run Locations - MITRE CAR-2013-05-002
2017-10-29 14:27:01 -04:00
ad27a0a117
Detects Quick execution of a series of suspicious commands - MITRE CAR-2013-04-002
2017-10-29 14:24:53 -04:00
9d968de337
Merge remote-tracking branch 'upstream/master'
2017-10-29 14:14:47 -04:00
b7e8000ccb
Improved Office Shell rule > added 'schtasks.exe'
2017-10-25 23:53:45 +02:00
e680da1b50
Suspicious flash player download location / BadRabbit
2017-10-25 08:40:30 +02:00
5fa9e685b1
Splitted parts of generate to generateQuery in backend code
2017-10-25 00:03:03 +02:00
ace1bf94ea
Merge branch 'devel-sigmac'
2017-10-24 23:49:04 +02:00
6d0e85fcfa
Fixed Splunk backend ( #50 )
2017-10-24 23:48:47 +02:00
65e1f8ec2b
Increased test coverage
...
* more tests
* removed unneeded code
* increased coverage fail threshold
2017-10-23 23:30:44 +02:00
c6f26978c1
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-10-23 00:46:41 +02:00
3389656a5b
Added ELK default index config
2017-10-23 00:45:33 +02:00
7f93d3ca47
Kibana backend throws exception when multiple indices appear
...
* Introduced backend errors with handling in sigmac
2017-10-23 00:45:01 +02:00
cb9aeac7d9
Added default index handling
...
* Removed default index handling from backend code
* Added default indices to config templates
2017-10-23 00:08:39 +02:00
801d739a3b
US CERT TA17-293A report - renamed PsExec execution
2017-10-22 12:55:26 +02:00
ec996e7353
Improved test coverage
2017-10-19 17:42:56 +02:00
1a8cfae6ac
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-10-19 11:42:09 +02:00
a4a127e869
Measurement of test coverage
2017-10-19 11:40:53 +02:00
d9f933fec9
Fixed the fixed PSAttack rule
2017-10-19 09:52:40 +02:00
0b0435bf7a
Fixed PSAttack rule
2017-10-18 21:49:38 +02:00
0895ea88ed
Merge branch 'master' of https://github.com/Neo23x0/sigma
2017-10-18 19:05:59 +02:00
5449a12a14
Added GrepBackend
...
Moved field quoting/filtering into QuoteCharMixin
2017-10-18 19:03:38 +02:00
440bf29607
Added Thomas' hack.lu talk
2017-10-18 15:51:58 +02:00
54cf9af0c9
Removed ELK Sysmon config
...
It's contained in ELK Windows config
2017-10-18 15:23:55 +02:00
3418b949f3
Enhanced integration testing by configurations
2017-10-18 15:23:10 +02:00
d7c659128c
Removed unneeded array
2017-10-18 15:12:29 +02:00
deea224421
Rule: New RUN Key Pointing to Suspicious Folder
2017-10-17 16:19:56 +02:00
e6661059c2
Merge remote-tracking branch 'upstream/master'
2017-10-15 11:58:01 -04:00
00baa4ed40
Executables Started in Suspicious Folder
2017-10-14 23:23:04 +02:00
358d1ffba0
Executables Started in Suspicious Folder
2017-10-14 23:22:20 +02:00
45aea1cc8a
Merge remote-tracking branch 'upstream/master'
2017-10-07 15:00:23 -04:00
f4720d5149
APT17 malware UA
...
https://twitter.com/cyb3rops/status/915135877709549568
2017-10-03 12:47:53 +02:00
b8eedfe3f0
Fixes and refactoring of KibanaBackend and XPackWatcherBackend
...
* Moved unnecessary code out of condition loop
* Index specific rule-name not appended to rulename variable used later
from other rule/index.
* Merged condition loop
2017-09-30 23:22:05 +02:00
1d314e326e
sigmac: MultiRuleOutputMixin
...
* Moved rule name generation into mixin
* KibanaBackend and XPackWatcherBackend now use this mixin instead of
doing the same thing in both classes.
2017-09-30 01:03:08 +02:00
b47e3e45a8
Merge branch 'devel-sigmac'
2017-09-22 00:31:22 +02:00
d410adb397
sigmac: X-Pack Watcher backend improvements
...
* Renamed backend class according to convention
* Output types: curl (default) and plain
* Prefix of rule names
* Indices from configuration
* Support for multiple conditions per rule
* Usage of parsed condition
* Support for all condition operators
* Fixed bug preventing from passing multiple options to backend
* Added to CI tests
2017-09-22 00:28:35 +02:00
62eb3b2923
Merge branch 'devel-sigmac' of https://github.com/megadevx/sigma into devel-sigmac-watcher
2017-09-19 23:08:04 +02:00
Thomas Patzke