aacb5f767c
Update winlogbeat-modules-enabled.yml
...
Update mapping for EventID and TargetObject.
2021-07-14 11:01:45 +08:00
bf9b82fc45
medium level rule for Windows Defender Exclusions
2021-07-13 13:16:25 +02:00
82b8b6890f
Merge pull request #1663 from heyibrahimkhan/patch-4
...
Create ala-azure-ad_auditlogs.yml
2021-07-12 23:37:55 +02:00
294a405481
Merge pull request #1662 from heyibrahimkhan/patch-3
...
Create ala-azure-activitylogs.yml
2021-07-12 23:37:46 +02:00
98165cdd09
Merge pull request #1661 from heyibrahimkhan/patch-2
...
Create ecs-azure-ad_auditlogs.yml
2021-07-12 23:37:37 +02:00
a73c371c66
Merge pull request #1672 from mf1d3l:splunkdm_backend
...
SplunkDM Backend: Splunk datamodels accelerated searches support
2021-07-12 23:05:51 +02:00
3761cd1b34
Merge pull request #1660 from heyibrahimkhan/patch-1
...
Create ecs-azure-activitylogs.yml
2021-07-12 17:42:49 +02:00
730e9eb883
Merge pull request #1667 from leegengyu/patch-10
...
Update winlogbeat-modules-enabled.yml - Imphash Field
2021-07-12 15:37:33 +02:00
ac7270ff32
Merge pull request #1669 from leegengyu/patch-11
...
Update winlogbeat.yml - Imphash Field
2021-07-12 15:37:00 +02:00
a16ce3b828
Merge pull request #1673 from frack113/ecs
...
Add mapping for auditbeat and filebeat
2021-07-12 15:36:07 +02:00
0b83c12dd1
Merge branch 'devel-tp'
2021-07-12 10:21:19 +02:00
b6d2ec33cc
Add mapping for auditbeat and filebeat
2021-07-12 09:00:57 +02:00
681accf2ba
add splunkdm to Makefile
2021-07-10 22:23:15 +02:00
bdb77780b3
Update winlogbeat.yml
...
Change Imphash's value as current one does not exist without the Sysmon processor module under Winlogbeat.
2021-07-10 11:37:36 +08:00
cb2985df75
Update winlogbeat-modules-enabled.yml
...
Replaced mapping for Imphash (based on Winlogbeat's Sysmon processor module).
2021-07-10 10:51:05 +08:00
368388a7e6
Add Splunk Datamodel backend
2021-07-09 23:18:17 +02:00
8bf07b3575
Create ala-azure-ad_auditlogs.yml
...
Azure AD Audit Logs mapping for Azure Log Analytics
2021-07-08 20:40:39 +05:00
7bba239f56
Create ala-azure-activitylogs.yml
...
Azure Activity Logs mapping for Azure Log Analytics
2021-07-08 20:40:03 +05:00
6849aba266
Create ecs-azure-ad_auditlogs.yml
...
Azure AD Audit Logs Elasticsearch ecs mapping
2021-07-08 20:39:05 +05:00
25dd14829e
Create ecs-azure-activitylogs.yml
...
Azure Activity Logs Elasticsearch ecs mapping
2021-07-08 20:37:12 +05:00
a6952540c9
Merge pull request #1659 from SigmaHQ/config-adjustments
...
refactor: THOR config adjustments
2021-07-08 15:37:04 +02:00
5e7f1f3a36
refactor: THOR config adjustments
2021-07-08 14:51:49 +02:00
09c8d42c03
Deleted Sysmon config which doesn't makes sense
2021-07-08 07:31:49 +02:00
4e3b275056
Fix more windows fields name
2021-07-07 12:28:00 +02:00
5c9ca35bb6
Add the last missing
2021-07-07 09:10:50 +02:00
e76f30d59c
Add some missing fields mapping
2021-07-06 15:56:33 +02:00
06ab553d25
Merge pull request #1604 from SigmaHQ/rule-devel
...
Config: Splunk fix log sources prefix, THOR PS classic
2021-07-02 15:39:22 +02:00
ba94b8396c
config: thor - powershell classic
2021-07-02 14:14:48 +02:00
03e2b9d376
fix: missing "WinEventLog:" in splunk-windows.yml
2021-07-02 14:13:12 +02:00
825ff5520b
Merge pull request #1597 from SigmaHQ/rule-devel
...
config: add PrintService Operational
2021-07-01 10:27:43 +02:00
63f3fd7e73
config: add PrintService Operational
2021-07-01 09:55:15 +02:00
19962c6fe4
Merge pull request #1590 from SigmaHQ/rule-devel
...
config: mappings for Microsoft print service
2021-06-30 14:50:52 +02:00
a49bfb14dd
refactor: Admin log - not Operational
2021-06-30 14:22:40 +02:00
26cfbb9c34
config: mapping for Microsoft SMBClient service - security
2021-06-30 14:16:26 +02:00
8262a1d98b
config: mappings for Microsoft print service
2021-06-30 14:09:44 +02:00
537d89d185
Merge pull request #1575 from SigmaHQ/rule-devel
...
rules: PurpleSharp, WMIC ActiveScriptEventConsumer
2021-06-25 12:15:35 +02:00
bfbd1c6487
Merge remote-tracking branch 'upstream/master' into master
2021-06-21 14:11:39 +02:00
4b92dbb90d
master: Added new Devo backend for the sigmac tool. Added three new backend configurations to support the Devo backend. Added a new test suite to cover the Devo backend cases.
2021-06-21 14:06:04 +02:00
0e7ad2bac8
small change to splunk logsource config
2021-06-16 14:52:45 +03:00
900263315a
Added support for free-text search in logsources configuration, enabling usage of splunk macros and ability to optimize the resulting searches.
2021-06-16 14:52:45 +03:00
bf40b64f91
docs: better title in crowdstrike config
2021-06-10 17:07:01 +02:00
1d081e300d
Support for VMware Carbon Black Cloud EEDR
...
Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/
2021-06-10 21:45:29 +10:00
1b4d4cfb82
Add missing sysmon EventID
2021-06-09 12:52:38 +02:00
2034d36677
Add support for Elastic EQL
...
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
2021-06-08 13:38:38 -04:00
e66a3f9513
T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp.
2021-06-07 15:03:19 +02:00
3d9fe490ab
Detect modification of sysmon configuration by sysmon
2021-06-04 11:27:15 +02:00
bf98f43850
Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID
2021-06-01 10:47:17 +02:00
aa34ff8e3c
Addition of System channel for more accurate detection
2021-05-30 09:27:08 +02:00
56e3a6aaf3
Update ecs-zeek-elastic-beats-implementation.yml
2021-05-16 22:53:25 +02:00
1574d263cc
Updated Winlogbeat Modules config based on: https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178
2021-05-05 10:25:36 -04:00
G Y