security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

122 Commits

Author SHA1 Message Date
Caleb Stewart a6d1ca6c84 Add reEscape config to ElasticsearchEQLBackend 2022-01-24 16:52:59 -05:00
frack113 c19d87127e Add not_bound_keyword option for elastic 2022-01-06 12:43:04 +01:00
frack113 bb758bdb0f manage start end regex 2021-10-20 21:20:04 +02:00
Thomas Patzke 3d6ad1bc0f Merge pull request #1944 from ncrqnt/elastic-subtechniques 
[Elastic] Add support for authors and subtechniques
 2021-09-01 22:25:10 +02:00
neu5ron 96c7e180fe Merge branch 'master' of https://github.com/SigmaHQ/sigma into qoutes_and_wildcards 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
 2021-08-30 16:33:33 -04:00
neu5ron 61897fa2e0 Merge branch 'master' of https://github.com/SigmaHQ/sigma into qoutes_and_wildcards 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
 2021-08-30 16:06:58 -04:00
Nico 00dec96245 Add support for subtechniques 2021-08-30 08:45:21 +02:00
Nico 5f271bf334 add author field to elastic rule 2021-08-30 08:29:07 +02:00
frack113 5f1143247b Update "sigmac -l" message 2021-08-28 08:51:58 +02:00
Thomas Patzke 607724278a Merge pull request #1580 from codyswanson4:master 
Update Elasticsearch Watcher backend to populate name column in Kibana
 2021-08-13 23:33:47 +02:00
Thomas Patzke 8694afe023 Merge pull request #1779 from frack113/elastalert 
Fix elastalert multi output file
 2021-08-12 22:40:36 +02:00
frack113 f6980edc66 fix english : normalize 2021-08-07 11:16:24 +02:00
frack113 2333defde7 add hash_normalise option 2021-08-07 08:24:36 +02:00
RedKyper b353a10643 elastalert multi output file 2021-08-05 20:37:07 +02:00
frack113 359dd6bbb8 fix my code 2021-08-01 19:34:07 +02:00
frack113 186583f78f fix the output not the core 2021-08-01 16:14:51 +02:00
thegoatreich d14e0f1aaa add logrhythm lucene backend 
Copied and modded the es-qs backend for logrhythm's lucene syntax.
 2021-07-16 13:02:05 +01:00
frack113 8fd81acee4 Change getRuleName() to get 'id-title' instead of ('id' or 'title') 2021-07-04 11:56:59 +02:00
Cody Swanson ab3a54c336 Update Elasticsearch Watcher backend to populate name field in alert metadata 2021-06-27 12:08:45 -07:00
frack113 1f2c93a4e7 add multi custom tag for issue #1560 2021-06-17 08:05:44 +02:00
Joshua Roys 2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
frack113 b3a608599a Add some fun backend option for es-rule 2021-05-28 10:51:08 +02:00
frack113 b92b765f9a Fix import to kibana error 400 severity is invalid. 2021-05-20 13:14:43 +02:00
frack113 cbb81cdf86 Fix import to kibana error 400 rish_score is null. 
rish_score is a integer.
If level is invalid set to medium
 2021-05-20 12:32:19 +02:00
frack113 f0974e9cf3 Fix : **false_positives** must be a array. 
If null add "Unknown".
If it is a string convert to a simple array row
 2021-05-20 11:20:38 +02:00
frack113 76523c5dbf fix [#1486](https://github.com/SigmaHQ/sigma/issues/1486). 
rule_id is always an uuid now.
For the rule-collection with only one uuid :
- first detection get the uuid
- other detection get a new uuid

it is a palliative, because the secondary uuid are not kept between 2 launches.
best practice is to use one uuid per detection and not files.
 2021-05-20 08:42:58 +02:00
frack113 3b23c18f70 If not null use uuid instead of title for the rule id 2021-05-17 22:12:17 +02:00
wagga40 534898a3ce Resolves #1450 - Bug in es-rule backend when using "-r" argument 2021-05-13 21:47:22 +02:00
herrBez 3b30a91185 Fix es-dsl aggregation generation when aggfield is not given 
Related to #542 and #543
 2021-04-06 16:41:46 +02:00
Joshua Roys 0448e46870 Implement Elastic threshold detection rules 
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
 2021-03-31 15:19:04 -04:00
Joshua Roys 92fcc314bf es-rule: make risk scores stable 
Don't create unnecessary deltas between runs.
 2021-03-01 10:13:34 -05:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Nate Guagenti a3a90068e3 Merge branch 'master' of https://github.com/Neo23x0/sigma into qoutes_and_wildcards 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-02-01 09:55:13 -05:00
k-vdv 89a4e48b0a bugfix field support 2021-01-22 09:28:23 +01:00
Nate Guagenti 36656c3fac Add to ElasticsearchDSLBackend the logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-01-18 07:01:50 -05:00
Nate Guagenti caf6586928 Add logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-01-18 06:49:57 -05:00
Nate Guagenti 47bd41f012 revert commented line 2021-01-18 05:55:12 -05:00
Thomas Patzke 789dfb3f47 Merge pull request #1291 from lprat/fix_issue_1285 
fix issue 1285
 2020-12-30 23:06:38 +01:00
Thomas Patzke 675d93ee3d Replaced string comparison with isinstance 2020-12-30 22:50:13 +01:00
Thomas Patzke 1bb0963784 Moved set_size option to class where it's used 2020-12-30 22:25:57 +01:00
k-vdv 7e6f01f611 elasticsearch backend: new parameter and fields support 2020-12-14 16:07:09 +01:00
Lionel 7ca368d1ed fix issue 1285 
https://github.com/Neo23x0/sigma/issues/1285
 2020-11-20 16:42:20 +01:00
Hendrik 96e90fbff2 Fix recursion of rules 2020-11-06 12:43:52 +01:00
Hendrik bf5d40eec3 New Backend - Kibana NDJSON 
Tested against 7.9.3
 2020-11-05 23:34:25 +01:00
Florian Roth d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted 
https://github.com/Neo23x0/sigma/issues/1028
 2020-09-30 08:53:52 +02:00
Nate Guagenti f21b3c50c6 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:13:18 -04:00
Nate Guagenti a7ffb96b6b elasticsearch regex escape of '.' for case insensitivity backend options 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 13:10:25 -04:00
Nate Guagenti 76910eaee4 fix sub field name usage if there are 3 or more fields.. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:57 -04:00
Nate Guagenti 0d713e4544 control whether to use an analyzed field or different type if a query/value contains a wildcard. 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-08-25 12:56:33 -04:00
Thomas Patzke 01125ffd3b Fixed: Elastalert backend handling of conditional field mappings 2020-08-11 23:29:18 +02:00