26cfbb9c34
config: mapping for Microsoft SMBClient service - security
2021-06-30 14:16:26 +02:00
8262a1d98b
config: mappings for Microsoft print service
2021-06-30 14:09:44 +02:00
f2b24ea6a3
Add support for action yml
2021-06-29 17:45:59 +02:00
bb8fe7f3b8
Add --output-extention if you want a custom output file extention (.ndjson,.txt,.splunk,..)
2021-06-29 08:13:48 +02:00
b26fc228b4
update help and add '/' or '\\' for surfix
2021-06-28 21:25:51 +02:00
831654a57a
Add a way to have a output prefix
2021-06-28 19:27:20 +02:00
ab3a54c336
Update Elasticsearch Watcher backend to populate name field in alert metadata
2021-06-27 12:08:45 -07:00
abe353de66
Merge pull request #1561 from frack113/es_rule_add_more_tag
...
add multi custom tag for issue #1560
2021-06-25 12:25:28 +02:00
2ad6401487
Merge pull request #1565 from SpeedyFireCyclone/powershell_fieldmappings
...
Generic remapping for PowerShell backend
2021-06-25 12:21:00 +02:00
537d89d185
Merge pull request #1575 from SigmaHQ/rule-devel
...
rules: PurpleSharp, WMIC ActiveScriptEventConsumer
2021-06-25 12:15:35 +02:00
bfbd1c6487
Merge remote-tracking branch 'upstream/master' into master
2021-06-21 14:11:39 +02:00
4b92dbb90d
master: Added new Devo backend for the sigmac tool. Added three new backend configurations to support the Devo backend. Added a new test suite to cover the Devo backend cases.
2021-06-21 14:06:04 +02:00
a18c3952d9
More generic remapping for PowerShell backend
2021-06-20 07:58:01 +02:00
1f2c93a4e7
add multi custom tag for issue #1560
2021-06-17 08:05:44 +02:00
0e7ad2bac8
small change to splunk logsource config
2021-06-16 14:52:45 +03:00
900263315a
Added support for free-text search in logsources configuration, enabling usage of splunk macros and ability to optimize the resulting searches.
2021-06-16 14:52:45 +03:00
ae06ebcae0
Merge pull request #1551 from xg5-simon/xg5-simon
...
Support for VMware Carbon Black Cloud EEDR
2021-06-10 18:35:16 +02:00
bf40b64f91
docs: better title in crowdstrike config
2021-06-10 17:07:01 +02:00
cd2792f82c
Merge pull request #1547 from frack113/new_filter_condition
...
Add New filter condition
2021-06-10 14:42:44 +02:00
1d081e300d
Support for VMware Carbon Black Cloud EEDR
...
Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/
2021-06-10 21:45:29 +10:00
ab3baa9463
Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled
...
MDATP ServiceInstalled mapping
2021-06-10 09:05:56 +02:00
a600e2dcaa
forget a print debug
2021-06-10 08:49:15 +02:00
af1aee9541
Add filter condition= and condition!=
2021-06-10 08:26:19 +02:00
1b4d4cfb82
Add missing sysmon EventID
2021-06-09 12:52:38 +02:00
2034d36677
Add support for Elastic EQL
...
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
2021-06-08 13:38:38 -04:00
e66a3f9513
T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp.
2021-06-07 15:03:19 +02:00
3d9fe490ab
Detect modification of sysmon configuration by sysmon
2021-06-04 11:27:15 +02:00
0aa05f53e9
MDATP ServiceInstalled event mapping
2021-06-03 21:43:52 +02:00
2115bfcd75
Merge pull request #1519 from frack113/esrule_new_option
...
Add some fun backend option for es-rule
2021-06-03 20:50:44 +02:00
bf98f43850
Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID
2021-06-01 10:47:17 +02:00
aa34ff8e3c
Addition of System channel for more accurate detection
2021-05-30 09:27:08 +02:00
7ec513f1d0
Fix error when use -< namefile.yml in commandline as I never use it
2021-05-28 12:47:37 +02:00
b3a608599a
Add some fun backend option for es-rule
2021-05-28 10:51:08 +02:00
6e31bc3037
Merge pull request #1485 from V1D1AN/master
...
Update ecs-zeek-elastic-beats-implementation.yml
2021-05-27 14:59:14 +02:00
ffeda2a2a2
Merge pull request #1492 from frack113/es_rule_uuid
...
Fix errors when import es-rule ndjson to KIBANA
2021-05-27 10:24:39 +02:00
f98716c672
Merge pull request #1500 from frack113/sigmac_add_time_filter
...
Sigmac add new filter
2021-05-27 10:16:19 +02:00
d06f2bcf14
fix: sysmon backend "startswith"
2021-05-26 15:42:16 +02:00
bb71860fb2
Merge pull request #1509 from vastlimits/feature/update-6.1
...
Updated uberAgent backend to support version 6.1.
2021-05-26 13:08:08 +02:00
0e688d8dd0
Add the 'logsource!=' filter
2021-05-22 09:04:30 +02:00
f213226eb4
Add the 'tag!=' filter
2021-05-22 08:57:42 +02:00
8aa3ea15d7
change to the more revealing name "inlastday"
2021-05-22 08:44:30 +02:00
8a8f003d15
add lastday filter to get only the rule update or create in the last N days
...
lastday=0 is all :)
2021-05-21 19:31:06 +02:00
b92b765f9a
Fix import to kibana error 400 severity is invalid.
2021-05-20 13:14:43 +02:00
cbb81cdf86
Fix import to kibana error 400 rish_score is null.
...
rish_score is a integer.
If level is invalid set to medium
2021-05-20 12:32:19 +02:00
f0974e9cf3
Fix : **false_positives** must be a array.
...
If null add "Unknown".
If it is a string convert to a simple array row
2021-05-20 11:20:38 +02:00
76523c5dbf
fix [ #1486 ]( https://github.com/SigmaHQ/sigma/issues/1486 ).
...
rule_id is always an uuid now.
For the rule-collection with only one uuid :
- first detection get the uuid
- other detection get a new uuid
it is a palliative, because the secondary uuid are not kept between 2 launches.
best practice is to use one uuid per detection and not files.
2021-05-20 08:42:58 +02:00
a36bc55b06
Updated uberAgent backend to support version 6.1.
2021-05-18 12:07:09 +02:00
3b23c18f70
If not null use uuid instead of title for the rule id
2021-05-17 22:12:17 +02:00
56e3a6aaf3
Update ecs-zeek-elastic-beats-implementation.yml
2021-05-16 22:53:25 +02:00
691283616f
Merge pull request #1477 from wagga40/master
...
Resolves #1450 - Bug in es-rule backend when using "-r" argument
2021-05-14 09:00:30 +02:00
Florian Roth