e0d6856987
[CarbonBlack] Adding extra escape character
...
Hyphens, especially when at the start of a query, need escaping since hyphens are also used to negate conditions
2021-07-29 13:57:58 +01:00
d14e0f1aaa
add logrhythm lucene backend
...
Copied and modded the es-qs backend for logrhythm's lucene syntax.
2021-07-16 13:02:05 +01:00
7b001b6b91
Fix issue [ADA] Convesion of wildcard not as expected for ada backend. #1689
2021-07-15 18:04:08 +08:00
f6e7fc446f
Remove Wildcard
2021-07-13 11:21:12 -03:00
9005b58649
extend cim
2021-07-10 23:06:29 +02:00
0271bc6b13
clean
2021-07-10 22:13:09 +02:00
b986ed0716
extend cim
2021-07-10 19:02:24 +02:00
ffadd110cb
Update splunkdm.py
2021-07-10 00:03:41 +02:00
82f8412988
Update splunkdm.py
2021-07-10 00:02:33 +02:00
368388a7e6
Add Splunk Datamodel backend
2021-07-09 23:18:17 +02:00
84b181d170
Revert "feat: OriginalFileName mapping in MDATP ImageLoad events"
...
This reverts commit cdc434cfc4
2021-07-08 08:55:33 +02:00
cdc434cfc4
feat: OriginalFileName mapping in MDATP ImageLoad events
2021-07-07 18:22:58 +02:00
400fae4dba
Merge pull request #1609 from cianmcgovern/graylog-fix
...
Escape spaces in graylog backend
2021-07-04 14:20:07 +02:00
8fd81acee4
Change getRuleName() to get 'id-title' instead of ('id' or 'title')
2021-07-04 11:56:59 +02:00
7fca08e5bd
Escape spaces in graylog backend
2021-07-02 21:56:08 +01:00
ab3a54c336
Update Elasticsearch Watcher backend to populate name field in alert metadata
2021-06-27 12:08:45 -07:00
abe353de66
Merge pull request #1561 from frack113/es_rule_add_more_tag
...
add multi custom tag for issue #1560
2021-06-25 12:25:28 +02:00
2ad6401487
Merge pull request #1565 from SpeedyFireCyclone/powershell_fieldmappings
...
Generic remapping for PowerShell backend
2021-06-25 12:21:00 +02:00
bfbd1c6487
Merge remote-tracking branch 'upstream/master' into master
2021-06-21 14:11:39 +02:00
4b92dbb90d
master: Added new Devo backend for the sigmac tool. Added three new backend configurations to support the Devo backend. Added a new test suite to cover the Devo backend cases.
2021-06-21 14:06:04 +02:00
a18c3952d9
More generic remapping for PowerShell backend
2021-06-20 07:58:01 +02:00
1f2c93a4e7
add multi custom tag for issue #1560
2021-06-17 08:05:44 +02:00
900263315a
Added support for free-text search in logsources configuration, enabling usage of splunk macros and ability to optimize the resulting searches.
2021-06-16 14:52:45 +03:00
ab3baa9463
Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled
...
MDATP ServiceInstalled mapping
2021-06-10 09:05:56 +02:00
2034d36677
Add support for Elastic EQL
...
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
2021-06-08 13:38:38 -04:00
0aa05f53e9
MDATP ServiceInstalled event mapping
2021-06-03 21:43:52 +02:00
b3a608599a
Add some fun backend option for es-rule
2021-05-28 10:51:08 +02:00
ffeda2a2a2
Merge pull request #1492 from frack113/es_rule_uuid
...
Fix errors when import es-rule ndjson to KIBANA
2021-05-27 10:24:39 +02:00
d06f2bcf14
fix: sysmon backend "startswith"
2021-05-26 15:42:16 +02:00
bb71860fb2
Merge pull request #1509 from vastlimits/feature/update-6.1
...
Updated uberAgent backend to support version 6.1.
2021-05-26 13:08:08 +02:00
b92b765f9a
Fix import to kibana error 400 severity is invalid.
2021-05-20 13:14:43 +02:00
cbb81cdf86
Fix import to kibana error 400 rish_score is null.
...
rish_score is a integer.
If level is invalid set to medium
2021-05-20 12:32:19 +02:00
f0974e9cf3
Fix : **false_positives** must be a array.
...
If null add "Unknown".
If it is a string convert to a simple array row
2021-05-20 11:20:38 +02:00
76523c5dbf
fix [ #1486 ]( https://github.com/SigmaHQ/sigma/issues/1486 ).
...
rule_id is always an uuid now.
For the rule-collection with only one uuid :
- first detection get the uuid
- other detection get a new uuid
it is a palliative, because the secondary uuid are not kept between 2 launches.
best practice is to use one uuid per detection and not files.
2021-05-20 08:42:58 +02:00
a36bc55b06
Updated uberAgent backend to support version 6.1.
2021-05-18 12:07:09 +02:00
3b23c18f70
If not null use uuid instead of title for the rule id
2021-05-17 22:12:17 +02:00
691283616f
Merge pull request #1477 from wagga40/master
...
Resolves #1450 - Bug in es-rule backend when using "-r" argument
2021-05-14 09:00:30 +02:00
534898a3ce
Resolves #1450 - Bug in es-rule backend when using "-r" argument
2021-05-13 21:47:22 +02:00
5e99379803
Change to have raw log in rule results with SQL/SQlite Backends
2021-05-13 15:01:52 +02:00
cc13a5e3de
Add a backend option to specify table name for SQL Backend
2021-05-02 14:39:41 +02:00
11982abec0
Add support for macOS rules and fix case sensitivity.
2021-04-28 16:49:59 -07:00
35e6e515ba
Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield
...
Fix es-dsl aggregation generation when aggfield is not given
2021-04-20 10:35:16 +02:00
2ff27aa980
Fix SyntaxWarning for 'is' on fireeye-helix backend
2021-04-17 12:55:13 +02:00
3b30a91185
Fix es-dsl aggregation generation when aggfield is not given
...
Related to #542 and #543
2021-04-06 16:41:46 +02:00
82fd5ca233
Merge pull request #1408 from roysjosh/es-rule-threshold
...
Implement Elastic threshold detection rules
2021-04-06 00:50:50 +02:00
d789eb9c6f
Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions
...
Elastic: raise an error from the base backend if a rule has multiple conditions
2021-04-06 00:50:05 +02:00
30c6d753fd
Removed unnecessary imports
2021-04-01 16:08:22 +01:00
fb1bb91c3c
Apply changes to Defender for Endpoint backend
2021-04-01 16:02:06 +01:00
7923852cc3
Elastic: raise an error from the base backend if a rule has multiple conditions
2021-03-31 16:01:05 -04:00
0448e46870
Implement Elastic threshold detection rules
...
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
2021-03-31 15:19:04 -04:00
Wietze