b30abd5c12
updating hawk json format record
2021-10-18 21:34:48 +00:00
17d78a5c4c
Fix a missing var reset in SQLite backend
2021-10-17 16:21:59 +02:00
76c02a14b2
Merge pull request #1558 from maketsi/splunk-search-ext
...
Added ability to define free-text searches in the logsource mapping
2021-10-16 20:49:14 +02:00
9d8828a0ed
Merge pull request #1696 from denny-lclin/lclin/fix-ada-wildcard
...
Fix [ALA] Convesion of wildcard not as expected for ada backend #1689
2021-10-16 20:46:23 +02:00
f3c01a3f65
Merge pull request #1948 from zazzzSec/fix_cb_paths
...
fixing cb path wildcards that don't work
2021-10-16 20:44:14 +02:00
4806a88427
Merge pull request #2029 from marcurdy/master
...
Correct for proper output to Splunk and CarbonBlack. Add AWS Athena c…
2021-10-16 20:37:59 +02:00
e6881e41a6
Merge pull request #2090 from roysjosh/ala-near
...
Implement "near" support for ALA/Sentinel
2021-10-16 20:34:32 +02:00
00dd72acf2
Merge pull request #2118 from albchen/patch-3
...
Add generateAggregation
2021-10-16 20:33:11 +02:00
6d6a57a3b4
Add additional information to the analytic record, including tags, author info, rule id and references
2021-10-14 15:05:05 +00:00
1a9f106d34
Initial commmit of hawk analytic score generator
2021-10-14 14:17:03 +00:00
468cac031d
fix status
2021-10-14 07:19:41 +02:00
1f5d9d8adc
Initial commmit of hawk analytic score generator
2021-10-13 14:36:49 +00:00
62025971c7
Add generateAggregation
...
Adds aggregation function for rules such as win_multiple_suspicious_cli.yml or win_dnscat2_powershell_implementation.yml. Modeled after splunk.py backend, converted to use MDE's count() and dcount() instead of Splunk's count() and dc(). Requires a valid config for converting aggfields and groupfields.
2021-10-03 17:37:05 -07:00
94bff8e5ea
Merge pull request #2108 from hazedav/master
...
fix(backend): add remediation for lacework policy
2021-09-30 17:38:38 +02:00
67818f125a
fix(backend): add remediation for lacework policy
2021-09-30 09:27:18 -05:00
41f0fe6b52
Merge pull request #2095 from frack113/update_help
...
Update filter help
2021-09-28 16:23:29 +02:00
11dc276185
Update filter help
2021-09-28 10:33:10 +02:00
0f3b169c45
Implement "near" support for ALA/Sentinel
2021-09-27 15:01:32 -04:00
bcdf164b4c
fix space
2021-09-27 19:17:14 +02:00
a0b48b96d4
Fix 'NoneType' object has no attribute 'lower'
2021-09-27 18:49:58 +02:00
d08d3712be
Add more debug info
2021-09-25 19:33:30 +02:00
88a59be69c
Add options and return error code
2021-09-18 18:13:16 +02:00
5081c210b7
add simple script
2021-09-18 15:51:05 +02:00
314fa5aaa5
Add validation for logical sub operators.
2021-09-14 18:00:09 -07:00
c7ecf6da65
Merge pull request #2009 from Preston-Young/master
...
Added New OpenSearch Monitor Backend
2021-09-13 23:07:35 +02:00
58d9e4180a
Correct for proper output to Splunk and CarbonBlack. Add AWS Athena config/backend support
2021-09-13 14:17:33 -05:00
1dec1a49fa
Mapped OriginalFileName in DeviceProcessEvents
...
Mapped OriginalFileName to ProcessVersionInfoOriginalFileName in DeviceProcessEvents. Tested and works for rules such as https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml
2021-09-10 15:51:32 -07:00
a798469961
Update lacework.py
2021-09-10 09:46:57 -05:00
fe53f6dd5d
moved default values to backend file
2021-09-09 15:02:59 -07:00
647f81d128
reverted changes in base.py to upstream
2021-09-09 10:55:36 -07:00
03a8d93a54
Merge branch 'master' of https://github.com/Preston-Young/sigma
2021-09-09 10:41:10 -07:00
c2c1b21a27
cleaning up changed files
2021-09-09 10:40:48 -07:00
4a98d68977
Merge branch 'SigmaHQ:master' into master
2021-09-09 10:28:16 -07:00
dc88ad7c73
fix sigma_uuid assign id
2021-09-05 17:50:54 +02:00
acf2bfbd27
Update sigma_uuid verify
...
Make a better verify code
2021-09-05 10:43:42 +02:00
11e4b900e4
Update global id
2021-09-03 06:59:40 +02:00
086a15fc45
Update global ID
2021-09-02 20:07:03 +02:00
51bc036dbf
Merge pull request #1921 from roysjosh/azure-sentinel-arm-output
...
Azure Sentinel support
2021-09-01 22:26:42 +02:00
3d6ad1bc0f
Merge pull request #1944 from ncrqnt/elastic-subtechniques
...
[Elastic] Add support for authors and subtechniques
2021-09-01 22:25:10 +02:00
b0efaf5a51
changed adjustMatches function to combine aall atomic matches into a single bool statement
2021-08-31 18:15:46 -07:00
b36db223b1
fixing path wildcards that don't adhear to tool specifications
2021-08-30 21:06:57 -04:00
96c7e180fe
Merge branch 'master' of https://github.com/SigmaHQ/sigma into qoutes_and_wildcards
...
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com >
2021-08-30 16:33:33 -04:00
61897fa2e0
Merge branch 'master' of https://github.com/SigmaHQ/sigma into qoutes_and_wildcards
...
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com >
2021-08-30 16:06:58 -04:00
00dec96245
Add support for subtechniques
2021-08-30 08:45:21 +02:00
5f271bf334
add author field to elastic rule
2021-08-30 08:29:07 +02:00
5f1143247b
Update "sigmac -l" message
2021-08-28 08:51:58 +02:00
cc6e4381b2
feat(backend): introducing lacework backend
...
Adding authors
Removing todo
2021-08-26 14:12:47 -05:00
a5d175fbf7
feat(backend): introducing lacework backend
2021-08-26 14:05:44 -05:00
294bb432d0
Add Azure Sentinel backend
...
The web interface expects ARM templates.
2021-08-24 16:01:23 -04:00
829117ca7f
Allow ints as values in ALA backend
...
Without this, LogonType set as an int caused sigmac to abort the rule.
2021-08-24 16:00:08 -04:00
Tim Shelton