security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

68 Commits

Author SHA1 Message Date
Florian Roth 335ed24751 fix: wrong channel prefix 2022-03-05 11:21:00 +01:00
frack113 53651cdd2f Add Bits-Client rules 2022-03-03 06:27:00 +01:00
frack113 1fbb9a9b29 Add missing fields 
Add missing fields
 2022-03-01 15:36:39 +01:00
frack113 d3dff083f2 fix channel 2022-02-23 17:50:23 +01:00
frack113 8cfab22acb Add firewall-as basic rules 2022-02-19 10:18:49 +01:00
Florian Roth 68f0cdf338 feat: new log channel windows-codeintegrity-operational 
https://twitter.com/SBousseaden/status/1483810148602814466
 2022-01-20 09:44:36 +01:00
frack113 6c19303aa4 normalize logsource 2021-11-09 10:48:13 +01:00
Nasreddine Bencherchali 1015d3fe68 Update winlogbeat-modules-enabled.yml 
- Fixed typos in FileVersion, Description, Product, and Company fields for image_load category.
- Added separate OriginalFileName fields for process_creation, image_load categories.
 2021-10-28 16:05:40 +01:00
frack113 781598351d Add SourceUser and TargetUser 2021-10-27 17:13:34 +02:00
frack113 ce5e4c45f1 Add sysmon 13.30 ParentUser 2021-10-27 12:58:10 +02:00
al3t 7500346ce7 Update winlogbeat-modules-enabled.yml 
updating field mapping
 2021-10-20 17:06:55 +03:00
phantinuss 81b4a0eb98 feat: adapt logsources for field names without spaces 2021-10-13 14:36:10 +02:00
phantinuss 1099d40473 rename the field 'Provider Name' to 'Provider_Name' 2021-10-13 13:04:11 +02:00
phantinuss 3d8002a237 fix: Use 'Provider Name' for windows eventlog log sources 2021-10-13 11:40:24 +02:00
frack113 6782a7af4d fix TargetUserName and TargetUserSid for detection 2021-09-27 09:27:01 +02:00
frack113 365db5abbc fix bad elasticsearch-rule 2021-09-18 15:54:08 +02:00
frack113 e43b917dab fix space error 2021-08-10 17:35:32 +02:00
frack113 f4bef0fc39 Add Microsoft-Windows-Windows Defender/Operational 2021-08-06 11:12:34 +02:00
frack113 65251e13e9 Add missing system field 2021-08-06 10:52:24 +02:00
frack113 4b44ee654b Fix missing a space 2021-08-05 13:36:18 +02:00
frack113 0b053e79cc fix syntax error 2021-08-05 13:33:39 +02:00
frack113 439b3cecc3 Add most of security EventID 2021-08-05 13:31:39 +02:00
frack113 ac43eecc36 Add eventid 4624 2021-08-05 11:20:22 +02:00
frack113 1d1b58d712 add sysmon mapping 2021-08-05 10:54:58 +02:00
frack113 481cd9aca1 add security 7045 2021-08-04 15:46:05 +02:00
frack113 47086d5d78 fix duplicate 2021-08-04 15:12:01 +02:00
frack113 21228a21c7 update SYSMON Hashes 2021-08-04 15:09:02 +02:00
Gábor Lipták d2592ee0b6 Add yamllint to GHA 
Signed-off-by: Gábor Lipták <gliptak@gmail.com>
 2021-07-26 21:26:16 -04:00
G Y aacb5f767c Update winlogbeat-modules-enabled.yml 
Update mapping for EventID and TargetObject.
 2021-07-14 11:01:45 +08:00
G Y cb2985df75 Update winlogbeat-modules-enabled.yml 
Replaced mapping for Imphash (based on Winlogbeat's Sysmon processor module).
 2021-07-10 10:51:05 +08:00
frack113 4e3b275056 Fix more windows fields name 2021-07-07 12:28:00 +02:00
frack113 5c9ca35bb6 Add the last missing 2021-07-07 09:10:50 +02:00
frack113 e76f30d59c Add some missing fields mapping 2021-07-06 15:56:33 +02:00
Florian Roth 825ff5520b Merge pull request #1597 from SigmaHQ/rule-devel 
config: add PrintService Operational
 2021-07-01 10:27:43 +02:00
Florian Roth 63f3fd7e73 config: add PrintService Operational 2021-07-01 09:55:15 +02:00
Florian Roth 19962c6fe4 Merge pull request #1590 from SigmaHQ/rule-devel 
config: mappings for Microsoft print service
 2021-06-30 14:50:52 +02:00
Florian Roth a49bfb14dd refactor: Admin log - not Operational 2021-06-30 14:22:40 +02:00
Florian Roth 26cfbb9c34 config: mapping for Microsoft SMBClient service - security 2021-06-30 14:16:26 +02:00
Florian Roth 8262a1d98b config: mappings for Microsoft print service 2021-06-30 14:09:44 +02:00
Joshua Roys 2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
frack113 e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
frack113 3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
frack113 bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113 aa34ff8e3c Addition of System channel for more accurate detection 2021-05-30 09:27:08 +02:00
JohnConnorRF 1574d263cc Updated Winlogbeat Modules config based on: https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178 2021-05-05 10:25:36 -04:00
John Connor McLaughlin 3926e2388f Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html 2021-05-04 15:23:47 -04:00
Thomas Patzke 5118be6bf6 Merge pull request #1407 from JohnConnorRF/winlogbeat_config_update 
Update winlogbeat configuration file to support File Product details
 2021-04-06 00:51:27 +02:00
JohnConnorRF 1f3ee87e55 Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product 2021-04-01 09:19:21 -04:00
Joshua Roys 30ab2aad75 Map CommandLine appropriately 
Args is an array of the exploded command line and causes many rules to misfire.
 2021-03-30 10:15:10 -04:00
Florian Roth 9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00