security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,344 Commits 1 Branch 57 Tags
e5cd850640355a32f4cfeaac0355b32477b80098
Commit Graph

222 Commits

Author SHA1 Message Date
Simon 1d081e300d Support for VMware Carbon Black Cloud EEDR 
Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/
 2021-06-10 21:45:29 +10:00
frack113 1b4d4cfb82 Add missing sysmon EventID 2021-06-09 12:52:38 +02:00
Joshua Roys 2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
frack113 e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
frack113 3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
frack113 bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113 aa34ff8e3c Addition of System channel for more accurate detection 2021-05-30 09:27:08 +02:00
V1D1AN 56e3a6aaf3 Update ecs-zeek-elastic-beats-implementation.yml 2021-05-16 22:53:25 +02:00
JohnConnorRF 1574d263cc Updated Winlogbeat Modules config based on: https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178 2021-05-05 10:25:36 -04:00
John Connor McLaughlin 3926e2388f Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html 2021-05-04 15:23:47 -04:00
Florian Roth 2f12c5c540 fix: too broad definition of *.log on linux 2021-05-03 17:04:55 +02:00
Max Altgelt 7c8cca744f chore: Revert log file changes for THOR sigma configuration 
Revert recent changes for Windows / Linux .log files for THOR
because of massive performance impacts.
 2021-04-28 17:48:17 +02:00
Max Altgelt de2cedf213 fix: Distinguish Windows and Linux logfiles by path separator 
A previous commit added a log source detailing *.log files with
product: linux. This caused linux specific Sigma rules to apply to
all *.log file, including those on Windows. To distinguish these
cases, expand the file path pattern to include the typical start
for unix / windows paths ( / vs [A-Z]:\ )
 2021-04-28 11:45:19 +02:00
Florian Roth d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth 66d0f910dd feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00
Florian Roth 08234c4620 Revert "fix: splunk for windows config errors" 
This reverts commit 13347df263.
 2021-04-25 21:52:29 +02:00
Florian Roth d766c12888 feat: generic categories - thor config 2021-04-23 17:47:09 +02:00
Florian Roth c7ce9154d1 Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
phantinuss 95fa99b4a3 search generic log files for product: linux 2021-04-23 12:00:48 +02:00
Florian Roth 13347df263 fix: splunk for windows config errors 2021-04-23 09:50:13 +02:00
Steven 7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven 850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Thomas Patzke 5118be6bf6 Merge pull request #1407 from JohnConnorRF/winlogbeat_config_update 
Update winlogbeat configuration file to support File Product details
 2021-04-06 00:51:27 +02:00
JohnConnorRF 477f05c5f2 Added in Product entry for winlogbeat-old 2021-04-01 09:24:24 -04:00
JohnConnorRF 1f3ee87e55 Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product 2021-04-01 09:19:21 -04:00
JohnConnorRF 3fd396f4db Updated winlogbeat configuration file to support File Product details 2021-03-30 13:21:14 -04:00
Joshua Roys 30ab2aad75 Map CommandLine appropriately 
Args is an array of the exploded command line and causes many rules to misfire.
 2021-03-30 10:15:10 -04:00
Florian Roth 7d7dd4cb67 fix: missing index field in FE helix config 2021-03-20 09:09:45 +01:00
Florian Roth 8b145e20e4 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-03-20 09:04:40 +01:00
Florian Roth 58a1ab9817 fix: wrong indentation in fireeye helix mapping 2021-03-20 09:04:38 +01:00
Florian Roth e47ee24889 Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth 9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
Florian Roth 1fc408bfaa fix: duplicate field values in YAML configs 2021-03-20 08:49:43 +01:00
Florian Roth 6ac6b9295b Merge pull request #1392 from hustlibraco/patch-1 
Update winlogbeat.yml
 2021-03-20 08:28:35 +01:00
Codehardt 6d626456f2 fix: syntax error in THOR's config file 2021-03-17 11:49:50 +01:00
libraco 3c5624ca88 Update winlogbeat.yml 
add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml
 2021-03-15 23:54:28 +08:00
libraco 2971a08734 Update winlogbeat.yml 
add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.
 2021-03-15 23:01:07 +08:00
Thomas Patzke c13f3f1383 Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
vh 7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Dennis Potashnik 12cc2cade1 Moved references to binary file from custom config to stix-2.0 config 2021-03-02 12:04:22 +02:00
Dennis Potashnik e12d710ab4 Fixed config typo 2021-03-02 11:51:46 +02:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Dennis Potashnik 563fd3c7e2 Fixed error mapping for stix-shifter configuration 2021-02-08 17:55:03 +02:00
Dennis Potashnik 08ee6d7f1f deleted missed file 2021-02-08 11:44:00 +02:00
Dennis Potashnik 2b917d6f97 Merge branch 'align-sigmac-stixshifter' into align-simac-stixshifter 2021-02-08 11:40:47 +02:00
Dennis Potashnik 08c8db25e9 New configuration layout: stix2.0 for basic stix mapings, stix-shifter to match the OCA stix-shifter mappings and stix-custom for the unsupported mappings 2021-02-08 10:56:31 +02:00
Florian Roth 11c216629b fix: thor sources for applocker with wrong prefix 2021-01-07 12:27:37 +01:00
Dennis Potashnik 70d14b46ef Aligning with newer stix-shifter version 2021-01-05 15:13:36 +02:00
maravedi fa6f75f07e Update sumologic.yml 
The commit from vihreb on October 6, 2020 (https://github.com/Neo23x0/sigma/commit/51df5ad8764cd6896a3ef83ad388aebc136d5815) removed some items from the allowed fields list for the sumologic backend (https://github.com/Neo23x0/sigma/blob/51df5ad8764cd6896a3ef83ad388aebc136d5815/tools/sigma/backends/sumologic.py#L161) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
 2020-12-28 16:46:32 -05:00
Florian Roth d1f7a206b9 Merge pull request #1289 from weslambert/master 
Fix typo
 2020-12-13 19:04:07 +01:00