security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

1373 Commits

Author SHA1 Message Date
frack113 94fe989f11 Merge pull request #2139 from phantinuss/providername 
Introducing the field 'Provider Name' for Windows Eventlog Log Sources
 2021-10-16 18:05:10 +01:00
Florian Roth 6660be9753 config: network connection linux 2021-10-16 14:22:48 +02:00
frack113 fc796df654 add references 2021-10-16 08:37:51 +02:00
frack113 690b26fb90 change order to chain sysmon 2021-10-16 08:19:25 +02:00
Florian Roth 5a144e1864 sysmon for linux - process_creation mapping 2021-10-15 14:46:13 +02:00
Tim Shelton 6d6a57a3b4 Add additional information to the analytic record, including tags, author info, rule id and references 2021-10-14 15:05:05 +00:00
Tim Shelton 1a9f106d34 Initial commmit of hawk analytic score generator 2021-10-14 14:17:03 +00:00
frack113 468cac031d fix status 2021-10-14 07:19:41 +02:00
Tim Shelton 1f5d9d8adc Initial commmit of hawk analytic score generator 2021-10-13 14:36:49 +00:00
phantinuss 81b4a0eb98 feat: adapt logsources for field names without spaces 2021-10-13 14:36:10 +02:00
phantinuss 1099d40473 rename the field 'Provider Name' to 'Provider_Name' 2021-10-13 13:04:11 +02:00
phantinuss 3d8002a237 fix: Use 'Provider Name' for windows eventlog log sources 2021-10-13 11:40:24 +02:00
frack113 f1d5605f10 fix yml space 2021-10-11 07:44:48 +02:00
frack113 9810a9fe73 add powershell.yml 2021-10-11 07:42:04 +02:00
albchen 62025971c7 Add generateAggregation 
Adds aggregation function for rules such as win_multiple_suspicious_cli.yml or win_dnscat2_powershell_implementation.yml. Modeled after splunk.py backend, converted to use MDE's count() and dcount() instead of Splunk's count() and dc(). Requires a valid config for converting aggfields and groupfields.
 2021-10-03 17:37:05 -07:00
frack113 94bff8e5ea Merge pull request #2108 from hazedav/master 
fix(backend): add remediation for lacework policy
 2021-09-30 17:38:38 +02:00
hazedav 67818f125a fix(backend): add remediation for lacework policy 2021-09-30 09:27:18 -05:00
frack113 424b0263df add EventID 26 2021-09-29 08:53:22 +02:00
frack113 41f0fe6b52 Merge pull request #2095 from frack113/update_help 
Update filter help
 2021-09-28 16:23:29 +02:00
frack113 c27084dd0c Merge pull request #2094 from frack113/backend_sysmon 
Fix logsource  not a string
 2021-09-28 16:22:58 +02:00
frack113 11dc276185 Update filter help 2021-09-28 10:33:10 +02:00
Joshua Roys 0f3b169c45 Implement "near" support for ALA/Sentinel 2021-09-27 15:01:32 -04:00
frack113 bcdf164b4c fix space 2021-09-27 19:17:14 +02:00
frack113 a0b48b96d4 Fix 'NoneType' object has no attribute 'lower' 2021-09-27 18:49:58 +02:00
frack113 6782a7af4d fix TargetUserName and TargetUserSid for detection 2021-09-27 09:27:01 +02:00
frack113 74c2d39d53 Merge pull request #2081 from austinsonger/ecs-ms365_defender.yml 
ecs-ms365_defender.yml
 2021-09-27 08:03:36 +02:00
frack113 d08d3712be Add more debug info 2021-09-25 19:33:30 +02:00
Austin Songer 00f4773eeb Create ecs-ms365_defender.yml 2021-09-24 20:02:39 -05:00
Austin Songer 696f343ac3 Delete ecs-ms365_defender.yml 2021-09-24 20:02:04 -05:00
Austin Songer 176b9662fc Update ecs-ms365_defender.yml 2021-09-24 20:01:00 -05:00
Austin Songer dd2f3e50db Create ecs-ms365_defender.yml 2021-09-24 19:53:21 -05:00
Austin Songer 527975c02f Update ecs-azure-ad_signinlogs.yml 2021-09-24 19:33:01 -05:00
Austin Songer 9ca1ea993d Create ecs-azure-ad_signinlogs.yml 2021-09-24 19:29:40 -05:00
Steven 9cb826b0d1 Rename auditbeat.yml to ecs-auditbeat-modules-enabled.yml 2021-09-24 09:00:26 +02:00
Steven bf1a8c2415 Fix yamllint 2021-09-23 18:56:29 +02:00
Steven 35a710eec6 Added configuration for auditbeat, mapping to Elastic ECS 2021-09-23 14:59:51 +02:00
frack113 88a59be69c Add options and return error code 2021-09-18 18:13:16 +02:00
frack113 72d301ba20 remove bad cb 2021-09-18 15:55:01 +02:00
frack113 365db5abbc fix bad elasticsearch-rule 2021-09-18 15:54:08 +02:00
frack113 5081c210b7 add simple script 2021-09-18 15:51:05 +02:00
Maxime Lamothe-Brassard 314fa5aaa5 Add validation for logical sub operators. 2021-09-14 18:00:09 -07:00
Austin Songer 7ff0ff104a Update ecs-okta.yml 2021-09-14 01:52:03 -05:00
Austin Songer 2a52cef62e Update ecs-okta.yml 2021-09-13 22:29:19 -05:00
Austin Songer 1895906580 Update ecs-okta.yml 2021-09-13 22:16:43 -05:00
Austin Songer 15bd61ed9f Update ecs-okta.yml 2021-09-13 21:45:14 -05:00
Mark McCurdy 94e47dcbb3 removing duplicate mappings due to yamllint 2021-09-13 21:34:52 -05:00
Austin Songer 87affad990 Create ecs-okta.yml 2021-09-13 21:31:25 -05:00
Thomas Patzke c7ecf6da65 Merge pull request #2009 from Preston-Young/master 
Added New OpenSearch Monitor Backend
 2021-09-13 23:07:35 +02:00
Mark McCurdy 58d9e4180a Correct for proper output to Splunk and CarbonBlack. Add AWS Athena config/backend support 2021-09-13 14:17:33 -05:00
albchen 1dec1a49fa Mapped OriginalFileName in DeviceProcessEvents 
Mapped OriginalFileName to ProcessVersionInfoOriginalFileName in DeviceProcessEvents. Tested and works for rules such as https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml
 2021-09-10 15:51:32 -07:00