security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

23 Commits

Author SHA1 Message Date
Mark McCurdy 58d9e4180a Correct for proper output to Splunk and CarbonBlack. Add AWS Athena config/backend support 2021-09-13 14:17:33 -05:00
Thomas Patzke 2fb7dd5e99 Fixes 
* Removed Splunk regex query
* Added test for sumologic-cse backend
 2020-10-23 15:31:00 +02:00
vh f45e45d736 Fix: Import SigmaRegularExpressionModifier in the splunk backend. 2020-10-20 18:13:53 +03:00
vh 51df5ad876 Added: 
Sumo Logic CSE Rule Backend

Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
 2020-10-06 15:07:52 +03:00
Thomas Patzke daf7ab5ff7 Cleanup: removal of corelight_* backends 2020-05-24 22:41:38 +02:00
Thomas Patzke d45f8e19fe Fixes 2020-05-24 21:46:55 +02:00
vh fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Thomas Patzke 849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00
sisecbe 5d94b9f0bc Changed stats to eventstats 
Changed 'stats' to 'eventstats' when using aggregation, this keeps the original data of the event in the result.
 2019-02-05 17:36:46 +01:00
sisecbe 2f5eb08b41 Adapt count function when aggfield not present 
When no field is present, use "count" , when field is present use "dc(field)". As described in the Sigma specifications.
Splunk throws errors when using "count()" with empy fields. use "count" instead.
 2019-02-05 15:44:05 +01:00
Thomas Patzke 8a0784ad33 Fixed escaping of \\* 2019-02-02 00:18:58 +01:00
sisecbe c848c473a3 Error when empty fields attribute 2018-11-23 15:37:42 +01:00
sisecbe 31eae25756 Indentation error 2018-11-23 15:20:17 +01:00
sisecbe e43909678e Added the fields attribute parser 
Make a table with the fields present in the fields attribute
 2018-11-23 15:11:12 +01:00
sisecbe c2eb87133d Distinct count in aggragation function 
Added dc() instead of count() when group-by field is present. Because count() doesn't do a distinct count in Splunk. Must be the dc() function instead.
 2018-11-23 15:04:08 +01:00
Thomas Patzke eacfaa7460 Check for forbidden null values in list items in Splunk backend 2018-10-27 01:07:03 +02:00
Thomas Patzke dce4b4825d Fixed aggregations without field name 
Generated query contained field name "None".
 2018-08-10 15:07:07 +02:00
Thomas Patzke af9f636199 Removal of backend output classes 
Breaking change: Instead of feeding the output class with the results,
they are now returned as strings (*Backend.generate()) or list
(SigmaCollectionParser.generate()). Users of the library must now take
care of the output to the terminal, files or wherever Sigma rules should
be pushed to.
 2018-08-02 22:41:32 +02:00
Thomas Patzke 1c4c67053c Fixes for parser split 
* Fixed imports
* Rename
 2018-07-27 00:02:07 +02:00
Thomas Patzke b76fa884ec Changed copyright notices accordingly 2018-07-24 00:01:16 +02:00
Thomas Patzke c8e21b3f24 Fixing after split 
* Fixing imports
* Discovery in new sub modules
 2018-07-21 01:09:02 +02:00
Thomas Patzke 45782c6328 Removal from sigma.backends.splunk 2018-07-10 23:48:47 +02:00
Thomas Patzke 72480d304b Splitting backends - Copy splunk.py 2018-07-10 23:15:04 +02:00