e91fc4486e
refactor: first bigger log source refactoring
...
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
2022-03-22 17:58:29 +01:00
53651cdd2f
Add Bits-Client rules
2022-03-03 06:27:00 +01:00
8cfab22acb
Add firewall-as basic rules
2022-02-19 10:18:49 +01:00
5890c1bb20
Fix logsource
2022-01-16 08:56:51 +01:00
b7b1ebf772
Fix LogonId - SubjectLogonId
2021-11-10 19:12:51 +01:00
ee4082b50d
Merge pull request #2242 from frack113/fix_ProcessCommandLine
...
Fix process command line
2021-11-10 08:09:06 +01:00
c5fa73c328
fix ProcessCommandLine to ParentCommandLine
2021-11-09 16:13:29 +01:00
3430943746
standardization
2021-11-09 07:27:25 +01:00
963f32063f
Merge pull request #2148 from SigmaHQ/rule-devel
...
First Linux Process Creation and Network Connection rules (Sysmon for Linux)
2021-10-21 19:10:08 +02:00
6660be9753
config: network connection linux
2021-10-16 14:22:48 +02:00
fc796df654
add references
2021-10-16 08:37:51 +02:00
690b26fb90
change order to chain sysmon
2021-10-16 08:19:25 +02:00
5a144e1864
sysmon for linux - process_creation mapping
2021-10-15 14:46:13 +02:00
f1d5605f10
fix yml space
2021-10-11 07:44:48 +02:00
9810a9fe73
add powershell.yml
2021-10-11 07:42:04 +02:00
424b0263df
add EventID 26
2021-09-29 08:53:22 +02:00
579a80411d
Update m365.yml
2021-08-21 15:03:31 -05:00
645492cef5
Update m365.yml
...
just working on expanding this.
2021-08-21 14:57:38 -05:00
e6457531dd
Create m365.yml
2021-08-20 00:29:29 -05:00
1d1b58d712
add sysmon mapping
2021-08-05 10:54:58 +02:00
1b4d4cfb82
Add missing sysmon EventID
2021-06-09 12:52:38 +02:00
d24f0b8988
feat: generic registry events compatible with native audit logging
2021-04-26 09:31:36 +02:00
66d0f910dd
feat: windows native events - registry_event
2021-04-25 22:35:23 +02:00
7b679cc1f7
- Modified rules to use categories instead of hardcoded event IDs
...
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
2021-04-15 01:40:31 +02:00
8b74abe0bc
- Created new categories for sysmon events
...
- Replaced the explicit EventIDs with the reference to the category
- Moved the rules to the corresponding directories
2020-09-30 20:44:14 +02:00
939156fa6d
Introduced dns_query log source category
2020-07-05 23:29:51 +02:00
8b3b312c4e
Proposed fix for https://github.com/Neo23x0/sigma/issues/889
...
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
2020-07-03 16:28:19 -04:00
9c0f9f398f
refactor: sysmon rule cleanup > generlization
2020-07-01 10:58:39 +02:00
07c0a6558e
fix: wording on sysmon mapping file
2020-06-24 17:49:42 +02:00
f3fedef8f5
Changed category names and remove sysmon log source
2020-06-24 17:41:21 +02:00
423baafa2a
Added rules for different sysmon categories and added the category definition
2020-06-10 15:02:15 +02:00
a0beda240c
fix: fixed wrong field mapping in windows-audit source config
2019-11-09 22:42:00 +01:00
36aeb19721
Added title to all configurations
2019-05-16 23:33:51 +02:00
6918784e87
Configuration order checking
2019-04-23 00:54:10 +02:00
3eaf83cf5a
Improved configurations
...
Added Security/4688 field mappings
2019-01-16 23:37:18 +01:00
ba64f485ac
Added generic Windows audit log configuration
2019-01-16 22:41:42 +01:00
d81946df39
Stacked configurations
...
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration
Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
2018-09-12 23:40:22 +02:00
320bb9f8c4
Added rewrite config to generic sysmon configuration
2018-08-14 21:34:54 +02:00
430972231f
Added generic sysmon configuration with process_execution config
2018-08-14 21:34:54 +02:00
Florian Roth