security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

1373 Commits

Author SHA1 Message Date
Florian Roth 9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
Florian Roth 1fc408bfaa fix: duplicate field values in YAML configs 2021-03-20 08:49:43 +01:00
Florian Roth 6ac6b9295b Merge pull request #1392 from hustlibraco/patch-1 
Update winlogbeat.yml
 2021-03-20 08:28:35 +01:00
albchen 42e82c95df Updated for use with Image Load events 
Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.
 2021-03-18 15:49:25 -07:00
Codehardt 6d626456f2 fix: syntax error in THOR's config file 2021-03-17 11:49:50 +01:00
libraco 3c5624ca88 Update winlogbeat.yml 
add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml
 2021-03-15 23:54:28 +08:00
libraco 2971a08734 Update winlogbeat.yml 
add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.
 2021-03-15 23:01:07 +08:00
Thomas Patzke f4734cd5e5 Merge pull request #1309 from WuerthIT:logsourcemerging 
functionality for parameter logsourcemerging
 2021-03-13 22:25:29 +01:00
Thomas Patzke c13f3f1383 Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
Thomas Patzke 99c7889363 Merge pull request #1368 from roysjosh/stable-risk-scores 
es-rule: make risk scores stable
 2021-03-13 18:46:37 +01:00
vh 7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Johnny Walker 0873c57acf Update netwitness.py 
nullExpression fixed to be really null (missing exclamation mark)
 2021-03-09 17:43:44 +01:00
Johnny Walker 4e5a9a58a5 Update netwitness-epl.py 
nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
 2021-03-09 17:41:54 +01:00
Dennis Potashnik 12cc2cade1 Moved references to binary file from custom config to stix-2.0 config 2021-03-02 12:04:22 +02:00
Dennis Potashnik e12d710ab4 Fixed config typo 2021-03-02 11:51:46 +02:00
Joshua Roys 92fcc314bf es-rule: make risk scores stable 
Don't create unnecessary deltas between runs.
 2021-03-01 10:13:34 -05:00
Thomas Patzke a08571be91 Merge branch 'master' of https://github.com/Neo23x0/sigma 2021-02-28 21:57:51 +01:00
Thomas Patzke 6995e6378b Added LGPL to distribution 2021-02-28 21:32:38 +01:00
jaegeral e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Thomas Patzke e248012783 Release 0.19 2021-02-23 21:27:14 +01:00
Thomas Patzke 5cfd837776 Removed irrelevant type check in fieldlist backend 
Fixes issue #1351
 2021-02-23 21:15:29 +01:00
Thomas Patzke 74ae89833f Added long description to PyPI distribution 2021-02-23 21:06:25 +01:00
Dennis Potashnik 563fd3c7e2 Fixed error mapping for stix-shifter configuration 2021-02-08 17:55:03 +02:00
Dennis Potashnik 08ee6d7f1f deleted missed file 2021-02-08 11:44:00 +02:00
Dennis Potashnik 2b917d6f97 Merge branch 'align-sigmac-stixshifter' into align-simac-stixshifter 2021-02-08 11:40:47 +02:00
Dennis Potashnik 08c8db25e9 New configuration layout: stix2.0 for basic stix mapings, stix-shifter to match the OCA stix-shifter mappings and stix-custom for the unsupported mappings 2021-02-08 10:56:31 +02:00
Chris Brake 4aa7505b40 Updated fields to align with MS Advanced Threat Hunting Schema. Standardised and sorted fields across schemas. 2021-02-04 11:54:29 +00:00
Nate Guagenti a3a90068e3 Merge branch 'master' of https://github.com/Neo23x0/sigma into qoutes_and_wildcards 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-02-01 09:55:13 -05:00
Gregor 921ebf7445 Optimizing Qradar query generation in cases where field definitions are missing 2021-01-26 15:24:44 +01:00
Gregor ac3730d2fa Fixing Qradar implementation for create valid AQL queries 2021-01-25 15:37:05 +01:00
k-vdv 89a4e48b0a bugfix field support 2021-01-22 09:28:23 +01:00
Nate Guagenti 36656c3fac Add to ElasticsearchDSLBackend the logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-01-18 07:01:50 -05:00
Nate Guagenti caf6586928 Add logic to NOT quote an analyzed field if it contains wildcard, things such as '*' get treated as an exact match 
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2021-01-18 06:49:57 -05:00
Nate Guagenti 47bd41f012 revert commented line 2021-01-18 05:55:12 -05:00
Florian Roth 11c216629b fix: thor sources for applocker with wrong prefix 2021-01-07 12:27:37 +01:00
Dennis Potashnik 70d14b46ef Aligning with newer stix-shifter version 2021-01-05 15:13:36 +02:00
Thomas Patzke 789dfb3f47 Merge pull request #1291 from lprat/fix_issue_1285 
fix issue 1285
 2020-12-30 23:06:38 +01:00
Thomas Patzke 675d93ee3d Replaced string comparison with isinstance 2020-12-30 22:50:13 +01:00
Thomas Patzke 1bb0963784 Moved set_size option to class where it's used 2020-12-30 22:25:57 +01:00
Thomas Patzke ac55c7fdd4 Merge branch 'elasticsearch_backend' of https://github.com/WuerthIT/sigma into pr-1308 2020-12-30 22:18:13 +01:00
maravedi fa6f75f07e Update sumologic.yml 
The commit from vihreb on October 6, 2020 (https://github.com/Neo23x0/sigma/commit/51df5ad8764cd6896a3ef83ad388aebc136d5815) removed some items from the allowed fields list for the sumologic backend (https://github.com/Neo23x0/sigma/blob/51df5ad8764cd6896a3ef83ad388aebc136d5815/tools/sigma/backends/sumologic.py#L161) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
 2020-12-28 16:46:32 -05:00
k-vdv 6744770768 functionality for parameter logsourcemerging 2020-12-15 09:23:49 +01:00
k-vdv 7e6f01f611 elasticsearch backend: new parameter and fields support 2020-12-14 16:07:09 +01:00
Florian Roth d1f7a206b9 Merge pull request #1289 from weslambert/master 
Fix typo
 2020-12-13 19:04:07 +01:00
Simon 97fcae56fd Update sigmac.py 2020-12-06 20:08:00 +01:00
Simon 4a4d3e1d35 Update sigmac.py 2020-12-04 18:22:24 +01:00
Simon Hilchenbach a40ef7360d Add sigmac flag to delimit results by NUL instead of \n 2020-12-04 18:05:23 +01:00
Thomas Patzke 578d2f0585 Merge pull request #1283 from 404d/mdatp-fixes 
mdatp: Mapping and generic event changes, case insensitive search
 2020-11-29 21:56:17 +01:00
findthebad ad899899ab Updated winlogbeat.yml config to include OriginalFileName 2020-11-26 14:48:14 -05:00
Helge Aksdal 3a7c114ca3 Fix field mapping for DestinationHostname 2020-11-26 04:17:28 +01:00