security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6,344 Commits 1 Branch 57 Tags
e5cd850640355a32f4cfeaac0355b32477b80098
Commit Graph

400 Commits

Author SHA1 Message Date
Florian Roth ab3baa9463 Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled 
MDATP ServiceInstalled mapping
 2021-06-10 09:05:56 +02:00
Joshua Roys 2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
Remco Hofman 0aa05f53e9 MDATP ServiceInstalled event mapping 2021-06-03 21:43:52 +02:00
frack113 b3a608599a Add some fun backend option for es-rule 2021-05-28 10:51:08 +02:00
Florian Roth ffeda2a2a2 Merge pull request #1492 from frack113/es_rule_uuid 
Fix errors when import es-rule ndjson to KIBANA
 2021-05-27 10:24:39 +02:00
Florian Roth d06f2bcf14 fix: sysmon backend "startswith" 2021-05-26 15:42:16 +02:00
Florian Roth bb71860fb2 Merge pull request #1509 from vastlimits/feature/update-6.1 
Updated uberAgent backend to support version 6.1.
 2021-05-26 13:08:08 +02:00
frack113 b92b765f9a Fix import to kibana error 400 severity is invalid. 2021-05-20 13:14:43 +02:00
frack113 cbb81cdf86 Fix import to kibana error 400 rish_score is null. 
rish_score is a integer.
If level is invalid set to medium
 2021-05-20 12:32:19 +02:00
frack113 f0974e9cf3 Fix : **false_positives** must be a array. 
If null add "Unknown".
If it is a string convert to a simple array row
 2021-05-20 11:20:38 +02:00
frack113 76523c5dbf fix [#1486](https://github.com/SigmaHQ/sigma/issues/1486). 
rule_id is always an uuid now.
For the rule-collection with only one uuid :
- first detection get the uuid
- other detection get a new uuid

it is a palliative, because the secondary uuid are not kept between 2 launches.
best practice is to use one uuid per detection and not files.
 2021-05-20 08:42:58 +02:00
Sven Scharmentke a36bc55b06 Updated uberAgent backend to support version 6.1. 2021-05-18 12:07:09 +02:00
frack113 3b23c18f70 If not null use uuid instead of title for the rule id 2021-05-17 22:12:17 +02:00
Florian Roth 691283616f Merge pull request #1477 from wagga40/master 
Resolves #1450 - Bug in es-rule backend when using "-r" argument
 2021-05-14 09:00:30 +02:00
wagga40 534898a3ce Resolves #1450 - Bug in es-rule backend when using "-r" argument 2021-05-13 21:47:22 +02:00
wagga40 5e99379803 Change to have raw log in rule results with SQL/SQlite Backends 2021-05-13 15:01:52 +02:00
wagga40 cc13a5e3de Add a backend option to specify table name for SQL Backend 2021-05-02 14:39:41 +02:00
Maxime Lamothe-Brassard 11982abec0 Add support for macOS rules and fix case sensitivity. 2021-04-28 16:49:59 -07:00
Thomas Patzke 35e6e515ba Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield 
Fix es-dsl aggregation generation when aggfield is not given
 2021-04-20 10:35:16 +02:00
Cedric Hien 2ff27aa980 Fix SyntaxWarning for 'is' on fireeye-helix backend 2021-04-17 12:55:13 +02:00
herrBez 3b30a91185 Fix es-dsl aggregation generation when aggfield is not given 
Related to #542 and #543
 2021-04-06 16:41:46 +02:00
Thomas Patzke 82fd5ca233 Merge pull request #1408 from roysjosh/es-rule-threshold 
Implement Elastic threshold detection rules
 2021-04-06 00:50:50 +02:00
Thomas Patzke d789eb9c6f Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions 
Elastic: raise an error from the base backend if a rule has multiple conditions
 2021-04-06 00:50:05 +02:00
Wietze 30c6d753fd Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze fb1bb91c3c Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
Joshua Roys 7923852cc3 Elastic: raise an error from the base backend if a rule has multiple conditions 2021-03-31 16:01:05 -04:00
Joshua Roys 0448e46870 Implement Elastic threshold detection rules 
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
 2021-03-31 15:19:04 -04:00
Thomas Patzke eb98f0ba28 Merge pull request #1402 from refractionPOINT/lc-support-live-wel 
Add option to support different LimaCharlie targets.
 2021-03-29 23:13:01 +02:00
Florian Roth ac1f82f7ca Merge pull request #1380 from iosonogio/bugfix/netwitness-null 
[bugfix] netwitness and netwitness-epl backends have incoherent null expressions
 2021-03-29 11:23:18 +02:00
Maxime Lamothe-Brassard e0666036a4 Add option to support different LimaCharlie targets. 2021-03-24 17:58:50 -07:00
albchen 42e82c95df Updated for use with Image Load events 
Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.
 2021-03-18 15:49:25 -07:00
Thomas Patzke c13f3f1383 Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
Thomas Patzke 99c7889363 Merge pull request #1368 from roysjosh/stable-risk-scores 
es-rule: make risk scores stable
 2021-03-13 18:46:37 +01:00
vh 7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Johnny Walker 0873c57acf Update netwitness.py 
nullExpression fixed to be really null (missing exclamation mark)
 2021-03-09 17:43:44 +01:00
Johnny Walker 4e5a9a58a5 Update netwitness-epl.py 
nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
 2021-03-09 17:41:54 +01:00
Joshua Roys 92fcc314bf es-rule: make risk scores stable 
Don't create unnecessary deltas between runs.
 2021-03-01 10:13:34 -05:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Thomas Patzke 5cfd837776 Removed irrelevant type check in fieldlist backend 
Fixes issue #1351
 2021-02-23 21:15:29 +01:00
Dennis Potashnik 2b917d6f97 Merge branch 'align-sigmac-stixshifter' into align-simac-stixshifter 2021-02-08 11:40:47 +02:00
Dennis Potashnik 08c8db25e9 New configuration layout: stix2.0 for basic stix mapings, stix-shifter to match the OCA stix-shifter mappings and stix-custom for the unsupported mappings 2021-02-08 10:56:31 +02:00
Chris Brake 4aa7505b40 Updated fields to align with MS Advanced Threat Hunting Schema. Standardised and sorted fields across schemas. 2021-02-04 11:54:29 +00:00
Gregor 921ebf7445 Optimizing Qradar query generation in cases where field definitions are missing 2021-01-26 15:24:44 +01:00
Gregor ac3730d2fa Fixing Qradar implementation for create valid AQL queries 2021-01-25 15:37:05 +01:00
k-vdv 89a4e48b0a bugfix field support 2021-01-22 09:28:23 +01:00
Thomas Patzke 789dfb3f47 Merge pull request #1291 from lprat/fix_issue_1285 
fix issue 1285
 2020-12-30 23:06:38 +01:00
Thomas Patzke 675d93ee3d Replaced string comparison with isinstance 2020-12-30 22:50:13 +01:00
Thomas Patzke 1bb0963784 Moved set_size option to class where it's used 2020-12-30 22:25:57 +01:00
k-vdv 7e6f01f611 elasticsearch backend: new parameter and fields support 2020-12-14 16:07:09 +01:00
Thomas Patzke 578d2f0585 Merge pull request #1283 from 404d/mdatp-fixes 
mdatp: Mapping and generic event changes, case insensitive search
 2020-11-29 21:56:17 +01:00