security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

24 Commits

Author SHA1 Message Date
albchen 62025971c7 Add generateAggregation 
Adds aggregation function for rules such as win_multiple_suspicious_cli.yml or win_dnscat2_powershell_implementation.yml. Modeled after splunk.py backend, converted to use MDE's count() and dcount() instead of Splunk's count() and dc(). Requires a valid config for converting aggfields and groupfields.
 2021-10-03 17:37:05 -07:00
albchen 1dec1a49fa Mapped OriginalFileName in DeviceProcessEvents 
Mapped OriginalFileName to ProcessVersionInfoOriginalFileName in DeviceProcessEvents. Tested and works for rules such as https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml
 2021-09-10 15:51:32 -07:00
Wietze 17595e2443 Enabling Linux/macOS support on MDATP, fixing incorrect parent cmd mappings 2021-08-12 18:07:13 +01:00
Florian Roth 84b181d170 Revert "feat: OriginalFileName mapping in MDATP ImageLoad events" 
This reverts commit cdc434cfc4.
 2021-07-08 08:55:33 +02:00
Florian Roth cdc434cfc4 feat: OriginalFileName mapping in MDATP ImageLoad events 2021-07-07 18:22:58 +02:00
Remco Hofman 0aa05f53e9 MDATP ServiceInstalled event mapping 2021-06-03 21:43:52 +02:00
Wietze 30c6d753fd Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze fb1bb91c3c Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
albchen 42e82c95df Updated for use with Image Load events 
Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.
 2021-03-18 15:49:25 -07:00
Chris Brake 4aa7505b40 Updated fields to align with MS Advanced Threat Hunting Schema. Standardised and sorted fields across schemas. 2021-02-04 11:54:29 +00:00
Simen Lybekk c0a7cdc3de mdatp: Use case-insensitive searches by default 
This sohuld match the draft Sigma specification as well as other backends
 2020-11-12 14:09:30 +01:00
Simen Lybekk a75d4fb561 mdatp: Add more field mappings and table<->generic event mappings, skip IMPHASH as it's not supported 2020-11-12 13:15:38 +01:00
vh 383823f49a Fix: added default value of current_table 2020-10-21 10:12:17 +03:00
vh 51df5ad876 Added: 
Sumo Logic CSE Rule Backend

Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
 2020-10-06 15:07:52 +03:00
Chris Brake 6ed1ea6509 Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType 2020-06-30 14:49:29 +01:00
Thomas Patzke c992dc5215 Improved test coverage 2020-06-05 23:33:51 +02:00
Thomas Patzke 5d88d97c73 Merge branch 'improvements/improved_mdatp_mappings' of https://github.com/wietze/sigma into wietze-improvements/improved_mdatp_mappings 2020-06-05 23:03:52 +02:00
vh fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Wietze 2b3828730c Reversed disabling FileDelete 2020-05-02 17:31:50 +01:00
Wietze e5574e07f2 Disabled FileDelete event (Sysmon 11 - no rules available yet) 2020-05-02 16:21:56 +01:00
Wietze 5abf4cbea9 Reordered fields 2020-05-02 14:46:55 +01:00
Wietze 661108903b Minor consistency fix 2020-05-02 14:37:37 +01:00
Wietze 46737cbfd3 Improved Microsoft ATP mapping, using Advanced Hunting Schema 
See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference
 2020-05-02 14:31:02 +01:00
David Szili 0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00