blue-team-tools

Author	SHA1	Message	Date
Tim Shelton	f2d9cf0964	Initial commmit of hawk analytic score generator	2021-10-18 21:39:49 +00:00
Tim Shelton	ae2923bdd8	Initial commmit of hawk analytic score generator	2021-10-18 21:39:49 +00:00
Wagga	17d78a5c4c	Fix a missing var reset in SQLite backend	2021-10-17 16:21:59 +02:00
$frack113$ frack113	e5b3a1cc14	Merge pull request #2151 from frack113/ps_category Powershell category	2021-10-17 07:15:31 +01:00
$frack113$ frack113	7fc6532665	fix yml	2021-10-16 22:49:20 +02:00
Thomas Patzke	76c02a14b2	Merge pull request #1558 from maketsi/splunk-search-ext Added ability to define free-text searches in the logsource mapping	2021-10-16 20:49:14 +02:00
Thomas Patzke	9d8828a0ed	Merge pull request #1696 from denny-lclin/lclin/fix-ada-wildcard Fix [ALA] Convesion of wildcard not as expected for ada backend #1689	2021-10-16 20:46:23 +02:00
Thomas Patzke	f3c01a3f65	Merge pull request #1948 from zazzzSec/fix_cb_paths fixing cb path wildcards that don't work	2021-10-16 20:44:14 +02:00
Thomas Patzke	4806a88427	Merge pull request #2029 from marcurdy/master Correct for proper output to Splunk and CarbonBlack. Add AWS Athena c…	2021-10-16 20:37:59 +02:00
Thomas Patzke	e6881e41a6	Merge pull request #2090 from roysjosh/ala-near Implement "near" support for ALA/Sentinel	2021-10-16 20:34:32 +02:00
Thomas Patzke	00dd72acf2	Merge pull request #2118 from albchen/patch-3 Add generateAggregation	2021-10-16 20:33:11 +02:00
$frack113$ frack113	94fe989f11	Merge pull request #2139 from phantinuss/providername Introducing the field 'Provider Name' for Windows Eventlog Log Sources	2021-10-16 18:05:10 +01:00
$frack113$ frack113	fc796df654	add references	2021-10-16 08:37:51 +02:00
$frack113$ frack113	690b26fb90	change order to chain sysmon	2021-10-16 08:19:25 +02:00
$frack113$ frack113	468cac031d	fix status	2021-10-14 07:19:41 +02:00
phantinuss	81b4a0eb98	feat: adapt logsources for field names without spaces	2021-10-13 14:36:10 +02:00
phantinuss	1099d40473	rename the field 'Provider Name' to 'Provider_Name'	2021-10-13 13:04:11 +02:00
phantinuss	3d8002a237	fix: Use 'Provider Name' for windows eventlog log sources	2021-10-13 11:40:24 +02:00
$frack113$ frack113	f1d5605f10	fix yml space	2021-10-11 07:44:48 +02:00
$frack113$ frack113	9810a9fe73	add powershell.yml	2021-10-11 07:42:04 +02:00
albchen	62025971c7	Add generateAggregation Adds aggregation function for rules such as win_multiple_suspicious_cli.yml or win_dnscat2_powershell_implementation.yml. Modeled after splunk.py backend, converted to use MDE's count() and dcount() instead of Splunk's count() and dc(). Requires a valid config for converting aggfields and groupfields.	2021-10-03 17:37:05 -07:00
$frack113$ frack113	94bff8e5ea	Merge pull request #2108 from hazedav/master fix(backend): add remediation for lacework policy	2021-09-30 17:38:38 +02:00
hazedav	67818f125a	fix(backend): add remediation for lacework policy	2021-09-30 09:27:18 -05:00
$frack113$ frack113	424b0263df	add EventID 26	2021-09-29 08:53:22 +02:00
$frack113$ frack113	41f0fe6b52	Merge pull request #2095 from frack113/update_help Update filter help	2021-09-28 16:23:29 +02:00
$frack113$ frack113	c27084dd0c	Merge pull request #2094 from frack113/backend_sysmon Fix logsource not a string	2021-09-28 16:22:58 +02:00
$frack113$ frack113	11dc276185	Update filter help	2021-09-28 10:33:10 +02:00
Joshua Roys	0f3b169c45	Implement "near" support for ALA/Sentinel	2021-09-27 15:01:32 -04:00
$frack113$ frack113	bcdf164b4c	fix space	2021-09-27 19:17:14 +02:00
$frack113$ frack113	a0b48b96d4	Fix 'NoneType' object has no attribute 'lower'	2021-09-27 18:49:58 +02:00
$frack113$ frack113	6782a7af4d	fix TargetUserName and TargetUserSid for detection	2021-09-27 09:27:01 +02:00
$frack113$ frack113	74c2d39d53	Merge pull request #2081 from austinsonger/ecs-ms365_defender.yml ecs-ms365_defender.yml	2021-09-27 08:03:36 +02:00
$frack113$ frack113	d08d3712be	Add more debug info	2021-09-25 19:33:30 +02:00
Austin Songer	00f4773eeb	Create ecs-ms365_defender.yml	2021-09-24 20:02:39 -05:00
Austin Songer	696f343ac3	Delete ecs-ms365_defender.yml	2021-09-24 20:02:04 -05:00
Austin Songer	176b9662fc	Update ecs-ms365_defender.yml	2021-09-24 20:01:00 -05:00
Austin Songer	dd2f3e50db	Create ecs-ms365_defender.yml	2021-09-24 19:53:21 -05:00
Austin Songer	527975c02f	Update ecs-azure-ad_signinlogs.yml	2021-09-24 19:33:01 -05:00
Austin Songer	9ca1ea993d	Create ecs-azure-ad_signinlogs.yml	2021-09-24 19:29:40 -05:00
Steven	9cb826b0d1	Rename auditbeat.yml to ecs-auditbeat-modules-enabled.yml	2021-09-24 09:00:26 +02:00
Steven	bf1a8c2415	Fix yamllint	2021-09-23 18:56:29 +02:00
Steven	35a710eec6	Added configuration for auditbeat, mapping to Elastic ECS	2021-09-23 14:59:51 +02:00
$frack113$ frack113	88a59be69c	Add options and return error code	2021-09-18 18:13:16 +02:00
$frack113$ frack113	72d301ba20	remove bad cb	2021-09-18 15:55:01 +02:00
$frack113$ frack113	365db5abbc	fix bad elasticsearch-rule	2021-09-18 15:54:08 +02:00
$frack113$ frack113	5081c210b7	add simple script	2021-09-18 15:51:05 +02:00
Maxime Lamothe-Brassard	314fa5aaa5	Add validation for logical sub operators.	2021-09-14 18:00:09 -07:00
Austin Songer	7ff0ff104a	Update ecs-okta.yml	2021-09-14 01:52:03 -05:00
Austin Songer	2a52cef62e	Update ecs-okta.yml	2021-09-13 22:29:19 -05:00
Austin Songer	1895906580	Update ecs-okta.yml	2021-09-13 22:16:43 -05:00

1 2 3 4 5 ...

1179 Commits