ea511bd761
adding file event filter
2021-12-06 20:50:20 +00:00
a38f98a3be
adding translation of provider_name to channel
2021-12-02 20:35:25 +00:00
e86ddc0b36
fix naming and references
2021-12-01 16:08:00 -05:00
48f592fc41
reducing scores for informational levels and adding field translation for user
2021-12-01 17:25:23 +00:00
b3a9e05a59
Merge branch 'master' of https://github.com/redsand/sigma into hawk_webserver_category
2021-12-01 14:26:35 +00:00
00560f3162
Add zircolite config
2021-11-30 19:10:14 +01:00
790755e753
adding webserver as filter for sigma config
2021-11-30 16:33:54 +00:00
b2645eb017
Handle facets and attributes
2021-11-29 17:23:23 +01:00
fff12a3461
adding antivirus filter for vendor_type.. was matching against our fim data
2021-11-23 18:14:51 +00:00
dca139d298
Example backend config file
2021-11-23 18:11:27 +01:00
bc334ab456
Hawk backend support for wildcard in middle of string ( #2273 )
...
* updating yaml cfg for ms eventlog support
* update config and sigma backend, so that comments are not replaced, but rather the details of the record
* updating scriptblocktext to value
* adding a few missing ip address translations
* Fixing error when handling comparisons of null values, and additional fix of lack of support for not
* adding additional translations for missing category entries
* fixing error when handling list of ors with a not indicator
* finishes support for windows translations, pending qa
* adding dedupe feature and additional translation fix for dns-server
* adding image_loaded translation
* forced to pull back on the aggressive deduping, caused some inaccuracies
* adding more ux friendly formatting for regex
* adds support for wildcards in middle of strings
* adding a missing null check for supporting null matching
* adding cisco, av, and django cfg in yaml. updated apache in yaml and added another translation for ip_dport
2021-11-18 06:29:41 +01:00
8b419b8f07
Merge pull request #2247 from frack113/fix_field
...
Fix rule field name
2021-11-11 08:51:52 +01:00
a9b49679d3
Updates to hawk sigmac backend ( #2244 )
...
Updated HAWK sigma backend
2021-11-11 08:01:53 +01:00
b7b1ebf772
Fix LogonId - SubjectLogonId
2021-11-10 19:12:51 +01:00
ee4082b50d
Merge pull request #2242 from frack113/fix_ProcessCommandLine
...
Fix process command line
2021-11-10 08:09:06 +01:00
a089a83794
Merge pull request #2238 from frack113/fix_logsource
...
Fix logsource
2021-11-10 08:08:40 +01:00
ca17949d85
Merge pull request #2237 from frack113/m365
...
standardization m365
2021-11-10 08:08:10 +01:00
c5fa73c328
fix ProcessCommandLine to ParentCommandLine
2021-11-09 16:13:29 +01:00
e1ecd379fa
Update elk-winlogbeat.yml
...
Adding "RelativeTargetName" since it's used by `win_lm_namedpipe.yml`
2021-11-09 13:38:31 +02:00
6c19303aa4
normalize logsource
2021-11-09 10:48:13 +01:00
3430943746
standardization
2021-11-09 07:27:25 +01:00
1015d3fe68
Update winlogbeat-modules-enabled.yml
...
- Fixed typos in FileVersion, Description, Product, and Company fields for image_load category.
- Added separate OriginalFileName fields for process_creation, image_load categories.
2021-10-28 16:05:40 +01:00
781598351d
Add SourceUser and TargetUser
2021-10-27 17:13:34 +02:00
ce5e4c45f1
Add sysmon 13.30 ParentUser
2021-10-27 12:58:10 +02:00
8f22d418f3
fixing lingering item
2021-10-26 16:28:04 +00:00
893874d3a5
removing item with space, and removing duplicate item and fixing target field, thx to frack113
2021-10-26 16:25:50 +00:00
6b5c63e485
Merge branch 'master' of https://github.com/redsand/sigma into HAWK_Backend
2021-10-25 18:39:48 +00:00
963f32063f
Merge pull request #2148 from SigmaHQ/rule-devel
...
First Linux Process Creation and Network Connection rules (Sysmon for Linux)
2021-10-21 19:10:08 +02:00
a47645a084
Modify event.provider to event.module
2021-10-21 08:34:41 +02:00
7500346ce7
Update winlogbeat-modules-enabled.yml
...
updating field mapping
2021-10-20 17:06:55 +03:00
d5498eecbf
updating hawk backend, still pending aggregation support
2021-10-19 02:35:45 +00:00
ae2923bdd8
Initial commmit of hawk analytic score generator
2021-10-18 21:39:49 +00:00
e5b3a1cc14
Merge pull request #2151 from frack113/ps_category
...
Powershell category
2021-10-17 07:15:31 +01:00
7fc6532665
fix yml
2021-10-16 22:49:20 +02:00
76c02a14b2
Merge pull request #1558 from maketsi/splunk-search-ext
...
Added ability to define free-text searches in the logsource mapping
2021-10-16 20:49:14 +02:00
4806a88427
Merge pull request #2029 from marcurdy/master
...
Correct for proper output to Splunk and CarbonBlack. Add AWS Athena c…
2021-10-16 20:37:59 +02:00
6660be9753
config: network connection linux
2021-10-16 14:22:48 +02:00
fc796df654
add references
2021-10-16 08:37:51 +02:00
690b26fb90
change order to chain sysmon
2021-10-16 08:19:25 +02:00
5a144e1864
sysmon for linux - process_creation mapping
2021-10-15 14:46:13 +02:00
81b4a0eb98
feat: adapt logsources for field names without spaces
2021-10-13 14:36:10 +02:00
1099d40473
rename the field 'Provider Name' to 'Provider_Name'
2021-10-13 13:04:11 +02:00
3d8002a237
fix: Use 'Provider Name' for windows eventlog log sources
2021-10-13 11:40:24 +02:00
f1d5605f10
fix yml space
2021-10-11 07:44:48 +02:00
9810a9fe73
add powershell.yml
2021-10-11 07:42:04 +02:00
424b0263df
add EventID 26
2021-09-29 08:53:22 +02:00
6782a7af4d
fix TargetUserName and TargetUserSid for detection
2021-09-27 09:27:01 +02:00
74c2d39d53
Merge pull request #2081 from austinsonger/ecs-ms365_defender.yml
...
ecs-ms365_defender.yml
2021-09-27 08:03:36 +02:00
00f4773eeb
Create ecs-ms365_defender.yml
2021-09-24 20:02:39 -05:00
696f343ac3
Delete ecs-ms365_defender.yml
2021-09-24 20:02:04 -05:00
Tim Shelton