security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,344 Commits 1 Branch 57 Tags
e5cd850640355a32f4cfeaac0355b32477b80098
Commit Graph

540 Commits

Author SHA1 Message Date
Florian Roth cd2792f82c Merge pull request #1547 from frack113/new_filter_condition 
Add New filter condition
 2021-06-10 14:42:44 +02:00
Florian Roth ab3baa9463 Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled 
MDATP ServiceInstalled mapping
 2021-06-10 09:05:56 +02:00
frack113 a600e2dcaa forget a print debug 2021-06-10 08:49:15 +02:00
frack113 af1aee9541 Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00
Joshua Roys 2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
Remco Hofman 0aa05f53e9 MDATP ServiceInstalled event mapping 2021-06-03 21:43:52 +02:00
frack113 7ec513f1d0 Fix error when use -< namefile.yml in commandline as I never use it 2021-05-28 12:47:37 +02:00
frack113 b3a608599a Add some fun backend option for es-rule 2021-05-28 10:51:08 +02:00
Florian Roth ffeda2a2a2 Merge pull request #1492 from frack113/es_rule_uuid 
Fix errors when import es-rule ndjson to KIBANA
 2021-05-27 10:24:39 +02:00
Florian Roth f98716c672 Merge pull request #1500 from frack113/sigmac_add_time_filter 
Sigmac add new filter
 2021-05-27 10:16:19 +02:00
Florian Roth d06f2bcf14 fix: sysmon backend "startswith" 2021-05-26 15:42:16 +02:00
Florian Roth bb71860fb2 Merge pull request #1509 from vastlimits/feature/update-6.1 
Updated uberAgent backend to support version 6.1.
 2021-05-26 13:08:08 +02:00
frack113 0e688d8dd0 Add the 'logsource!=' filter 2021-05-22 09:04:30 +02:00
frack113 f213226eb4 Add the 'tag!=' filter 2021-05-22 08:57:42 +02:00
frack113 8aa3ea15d7 change to the more revealing name "inlastday" 2021-05-22 08:44:30 +02:00
frack113 8a8f003d15 add lastday filter to get only the rule update or create in the last N days 
lastday=0 is all :)
 2021-05-21 19:31:06 +02:00
frack113 b92b765f9a Fix import to kibana error 400 severity is invalid. 2021-05-20 13:14:43 +02:00
frack113 cbb81cdf86 Fix import to kibana error 400 rish_score is null. 
rish_score is a integer.
If level is invalid set to medium
 2021-05-20 12:32:19 +02:00
frack113 f0974e9cf3 Fix : **false_positives** must be a array. 
If null add "Unknown".
If it is a string convert to a simple array row
 2021-05-20 11:20:38 +02:00
frack113 76523c5dbf fix [#1486](https://github.com/SigmaHQ/sigma/issues/1486). 
rule_id is always an uuid now.
For the rule-collection with only one uuid :
- first detection get the uuid
- other detection get a new uuid

it is a palliative, because the secondary uuid are not kept between 2 launches.
best practice is to use one uuid per detection and not files.
 2021-05-20 08:42:58 +02:00
Sven Scharmentke a36bc55b06 Updated uberAgent backend to support version 6.1. 2021-05-18 12:07:09 +02:00
frack113 3b23c18f70 If not null use uuid instead of title for the rule id 2021-05-17 22:12:17 +02:00
Florian Roth 691283616f Merge pull request #1477 from wagga40/master 
Resolves #1450 - Bug in es-rule backend when using "-r" argument
 2021-05-14 09:00:30 +02:00
wagga40 534898a3ce Resolves #1450 - Bug in es-rule backend when using "-r" argument 2021-05-13 21:47:22 +02:00
wagga40 5e99379803 Change to have raw log in rule results with SQL/SQlite Backends 2021-05-13 15:01:52 +02:00
Florian Roth 33d9d6876e Merge pull request #1456 from wagga40/update-sql-backend 
Add a backend option to specify table name for SQL Backend
 2021-05-11 15:00:39 +02:00
Florian Roth a9417b3f7b docs: better error highlighting 2021-05-05 12:59:13 +02:00
Florian Roth 0ca2d05247 revert changes to powershell backend 2021-05-05 12:26:59 +02:00
Florian Roth 55c39122e3 Merge branch 'master' into rule-devel 2021-05-05 11:56:20 +02:00
Florian Roth a9c837659b backend: powershell: escape $ symbols in strings 2021-05-03 15:30:33 +02:00
wagga40 cc13a5e3de Add a backend option to specify table name for SQL Backend 2021-05-02 14:39:41 +02:00
Maxime Lamothe-Brassard 11982abec0 Add support for macOS rules and fix case sensitivity. 2021-04-28 16:49:59 -07:00
Thomas Patzke 35e6e515ba Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield 
Fix es-dsl aggregation generation when aggfield is not given
 2021-04-20 10:35:16 +02:00
Cedric Hien 2ff27aa980 Fix SyntaxWarning for 'is' on fireeye-helix backend 2021-04-17 12:55:13 +02:00
herrBez 3b30a91185 Fix es-dsl aggregation generation when aggfield is not given 
Related to #542 and #543
 2021-04-06 16:41:46 +02:00
Thomas Patzke 82fd5ca233 Merge pull request #1408 from roysjosh/es-rule-threshold 
Implement Elastic threshold detection rules
 2021-04-06 00:50:50 +02:00
Thomas Patzke d789eb9c6f Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions 
Elastic: raise an error from the base backend if a rule has multiple conditions
 2021-04-06 00:50:05 +02:00
Wietze 30c6d753fd Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze fb1bb91c3c Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
Joshua Roys 7923852cc3 Elastic: raise an error from the base backend if a rule has multiple conditions 2021-03-31 16:01:05 -04:00
Joshua Roys 0448e46870 Implement Elastic threshold detection rules 
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
 2021-03-31 15:19:04 -04:00
Thomas Patzke eb98f0ba28 Merge pull request #1402 from refractionPOINT/lc-support-live-wel 
Add option to support different LimaCharlie targets.
 2021-03-29 23:13:01 +02:00
Florian Roth ac1f82f7ca Merge pull request #1380 from iosonogio/bugfix/netwitness-null 
[bugfix] netwitness and netwitness-epl backends have incoherent null expressions
 2021-03-29 11:23:18 +02:00
Maxime Lamothe-Brassard e0666036a4 Add option to support different LimaCharlie targets. 2021-03-24 17:58:50 -07:00
albchen 42e82c95df Updated for use with Image Load events 
Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.
 2021-03-18 15:49:25 -07:00
Thomas Patzke f4734cd5e5 Merge pull request #1309 from WuerthIT:logsourcemerging 
functionality for parameter logsourcemerging
 2021-03-13 22:25:29 +01:00
Thomas Patzke c13f3f1383 Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
Thomas Patzke 99c7889363 Merge pull request #1368 from roysjosh/stable-risk-scores 
es-rule: make risk scores stable
 2021-03-13 18:46:37 +01:00
vh 7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Johnny Walker 0873c57acf Update netwitness.py 
nullExpression fixed to be really null (missing exclamation mark)
 2021-03-09 17:43:44 +01:00