security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

766 Commits

Author SHA1 Message Date
Florian Roth 55c39122e3 Merge branch 'master' into rule-devel 2021-05-05 11:56:20 +02:00
Florian Roth a9c837659b backend: powershell: escape $ symbols in strings 2021-05-03 15:30:33 +02:00
wagga40 cc13a5e3de Add a backend option to specify table name for SQL Backend 2021-05-02 14:39:41 +02:00
Maxime Lamothe-Brassard 11982abec0 Add support for macOS rules and fix case sensitivity. 2021-04-28 16:49:59 -07:00
Thomas Patzke 35e6e515ba Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield 
Fix es-dsl aggregation generation when aggfield is not given
 2021-04-20 10:35:16 +02:00
Cedric Hien 2ff27aa980 Fix SyntaxWarning for 'is' on fireeye-helix backend 2021-04-17 12:55:13 +02:00
herrBez 3b30a91185 Fix es-dsl aggregation generation when aggfield is not given 
Related to #542 and #543
 2021-04-06 16:41:46 +02:00
Thomas Patzke 82fd5ca233 Merge pull request #1408 from roysjosh/es-rule-threshold 
Implement Elastic threshold detection rules
 2021-04-06 00:50:50 +02:00
Thomas Patzke d789eb9c6f Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions 
Elastic: raise an error from the base backend if a rule has multiple conditions
 2021-04-06 00:50:05 +02:00
Wietze 30c6d753fd Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze fb1bb91c3c Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
Joshua Roys 7923852cc3 Elastic: raise an error from the base backend if a rule has multiple conditions 2021-03-31 16:01:05 -04:00
Joshua Roys 0448e46870 Implement Elastic threshold detection rules 
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
 2021-03-31 15:19:04 -04:00
Thomas Patzke eb98f0ba28 Merge pull request #1402 from refractionPOINT/lc-support-live-wel 
Add option to support different LimaCharlie targets.
 2021-03-29 23:13:01 +02:00
Florian Roth ac1f82f7ca Merge pull request #1380 from iosonogio/bugfix/netwitness-null 
[bugfix] netwitness and netwitness-epl backends have incoherent null expressions
 2021-03-29 11:23:18 +02:00
Maxime Lamothe-Brassard e0666036a4 Add option to support different LimaCharlie targets. 2021-03-24 17:58:50 -07:00
albchen 42e82c95df Updated for use with Image Load events 
Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.
 2021-03-18 15:49:25 -07:00
Thomas Patzke f4734cd5e5 Merge pull request #1309 from WuerthIT:logsourcemerging 
functionality for parameter logsourcemerging
 2021-03-13 22:25:29 +01:00
Thomas Patzke c13f3f1383 Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
Thomas Patzke 99c7889363 Merge pull request #1368 from roysjosh/stable-risk-scores 
es-rule: make risk scores stable
 2021-03-13 18:46:37 +01:00
vh 7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Johnny Walker 0873c57acf Update netwitness.py 
nullExpression fixed to be really null (missing exclamation mark)
 2021-03-09 17:43:44 +01:00
Johnny Walker 4e5a9a58a5 Update netwitness-epl.py 
nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
 2021-03-09 17:41:54 +01:00
Joshua Roys 92fcc314bf es-rule: make risk scores stable 
Don't create unnecessary deltas between runs.
 2021-03-01 10:13:34 -05:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Thomas Patzke 5cfd837776 Removed irrelevant type check in fieldlist backend 
Fixes issue #1351
 2021-02-23 21:15:29 +01:00
Dennis Potashnik 2b917d6f97 Merge branch 'align-sigmac-stixshifter' into align-simac-stixshifter 2021-02-08 11:40:47 +02:00
Dennis Potashnik 08c8db25e9 New configuration layout: stix2.0 for basic stix mapings, stix-shifter to match the OCA stix-shifter mappings and stix-custom for the unsupported mappings 2021-02-08 10:56:31 +02:00
Chris Brake 4aa7505b40 Updated fields to align with MS Advanced Threat Hunting Schema. Standardised and sorted fields across schemas. 2021-02-04 11:54:29 +00:00
Nate Guagenti a3a90068e3 Merge branch 'master' of https://github.com/Neo23x0/sigma into qoutes_and_wildcards 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-02-01 09:55:13 -05:00
Gregor 921ebf7445 Optimizing Qradar query generation in cases where field definitions are missing 2021-01-26 15:24:44 +01:00
Gregor ac3730d2fa Fixing Qradar implementation for create valid AQL queries 2021-01-25 15:37:05 +01:00
k-vdv 89a4e48b0a bugfix field support 2021-01-22 09:28:23 +01:00
Nate Guagenti 36656c3fac Add to ElasticsearchDSLBackend the logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-01-18 07:01:50 -05:00
Nate Guagenti caf6586928 Add logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-01-18 06:49:57 -05:00
Nate Guagenti 47bd41f012 revert commented line 2021-01-18 05:55:12 -05:00
Thomas Patzke 789dfb3f47 Merge pull request #1291 from lprat/fix_issue_1285 
fix issue 1285
 2020-12-30 23:06:38 +01:00
Thomas Patzke 675d93ee3d Replaced string comparison with isinstance 2020-12-30 22:50:13 +01:00
Thomas Patzke 1bb0963784 Moved set_size option to class where it's used 2020-12-30 22:25:57 +01:00
k-vdv 6744770768 functionality for parameter logsourcemerging 2020-12-15 09:23:49 +01:00
k-vdv 7e6f01f611 elasticsearch backend: new parameter and fields support 2020-12-14 16:07:09 +01:00
Simon 97fcae56fd Update sigmac.py 2020-12-06 20:08:00 +01:00
Simon 4a4d3e1d35 Update sigmac.py 2020-12-04 18:22:24 +01:00
Simon Hilchenbach a40ef7360d Add sigmac flag to delimit results by NUL instead of \n 2020-12-04 18:05:23 +01:00
Thomas Patzke 578d2f0585 Merge pull request #1283 from 404d/mdatp-fixes 
mdatp: Mapping and generic event changes, case insensitive search
 2020-11-29 21:56:17 +01:00
Thomas Patzke 0ed54a6cae Merge pull request #1290 from arollyson/helix_backend 
Backend: FireEye Helix
 2020-11-21 00:06:19 +01:00
Lionel 7ca368d1ed fix issue 1285 
https://github.com/Neo23x0/sigma/issues/1285
 2020-11-20 16:42:20 +01:00
Alek Rollyson 83b8af6cd2 Add FirEye Helix backend 2020-11-19 11:18:28 -05:00
Simen Lybekk c0a7cdc3de mdatp: Use case-insensitive searches by default 
This sohuld match the draft Sigma specification as well as other backends
 2020-11-12 14:09:30 +01:00
Simen Lybekk a75d4fb561 mdatp: Add more field mappings and table<->generic event mappings, skip IMPHASH as it's not supported 2020-11-12 13:15:38 +01:00