security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,404 Commits 1 Branch 57 Tags
f34bc22537b1fc9271cd341663b3975db548f283
Commit Graph

1423 Commits

Author SHA1 Message Date
frack113 6bd09ec054 Merge pull request #3114 from hazedav/self-join-filter 
feat(backend): support for parent process filters
 2022-06-09 08:16:13 +02:00
David Hazekamp c1b5551486 feat(backend): bump lacework config version 2022-06-08 23:41:54 -05:00
David Hazekamp fea9602210 feat(backend): support for parent process filters 2022-06-08 23:39:32 -05:00
Tim Shelton 4d7d0b3235 backend - updating hawk backend with additional translations 2022-06-08 19:04:37 +00:00
David Hazekamp 323298ba91 fix(backend): use subexp when OR list items 2022-06-03 14:54:35 -05:00
Maxime Lamothe-Brassard 3fdaf8b9f1 Support alternate case for OriginalFileName. 2022-05-27 11:01:22 -07:00
Florian Roth 662c13a720 Merge pull request #3035 from redsand/hawk_backend_cfg_update 
Backend: adding additional entries to hawk.yml
 2022-05-24 12:33:11 +02:00
Tim Shelton b339901806 Backend: because hawk splits up SYSTEM and NT AUTHORITY, additional treatment is needed on some rules 2022-05-23 23:52:52 +00:00
Tim Shelton 6ca03d741b adding additional file hash column translation 2022-05-23 21:11:34 +00:00
Tim Shelton 605a0bc678 Backend: adding additional entries to hawk.yml 2022-05-23 18:46:50 +00:00
tr0mb1r ab7d7dbed8 Update sysmon.yml 
typo in config
 2022-05-20 13:47:18 +04:00
Thomas Patzke 01ffec65fe Merge pull request #2994 from ablescia/feat-hedera_backend 
Hedera Backend - C# dynamic LINQ
 2022-05-18 23:23:51 +02:00
Tim Shelton 232fd9ad17 removing duplicate 2022-05-10 13:19:22 +00:00
Tim Shelton ad727e11e9 adding additional zeek categories to sort out false positive matching 2022-05-10 03:39:16 +00:00
Tim Shelton c64197233d fixing error in translation 2022-05-10 02:19:23 +00:00
Tim Shelton 50a4a02364 adding additional field with ip_src as initial cardinal 2022-05-10 01:51:37 +00:00
Tim Shelton 8674e26218 adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example 2022-05-10 01:50:46 +00:00
Tim Shelton 278e825794 fixing hawk backend fields for zeek. wrong character 2022-05-10 01:45:17 +00:00
Tim Shelton 0709758651 Adding updates for zeek, as well as some missing sections for windows. internal review of rules will continue. 2022-05-09 23:23:35 +00:00
Tim Shelton 6aa0064c28 adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples 2022-05-09 23:23:07 +00:00
Antonio Blescia feca339bfc created hedera backend file 2022-05-08 15:59:14 +02:00
Tim Shelton bd51eb4c72 adding additional filter for string 2022-05-04 15:27:23 +00:00
Tim Shelton ad003de3fb Fixing mismatch of sigs when using system/app/security and additional matching against provider name 2022-05-04 14:58:02 +00:00
tungnd27 9d7a7f7896 Add StreamAlert backend 2022-05-03 17:32:19 +07:00
Tim Shelton 102a45a215 adding support for terminal services-localsessionmanager 2022-04-29 14:29:05 +00:00
Florian Roth f695443c4c Merge pull request #2969 from SigmaHQ/new-source-terminalservices 
New source terminalservices
 2022-04-29 13:25:12 +02:00
Florian Roth 43f3a31d19 feat: new service definition - terminal services 2022-04-29 12:26:26 +02:00
Tim Shelton eb0bcd7c9f updating hawk field translation, and bug when an author field is not present in a sig 2022-04-28 19:54:00 +00:00
secops4thewin 4442bb6982 Removed empty line 2022-04-28 13:18:11 +10:00
secops4thewin 9275d33ab2 Add timeframe to search for Devo 
Modified search to include a timeframe option.
 2022-04-28 13:14:41 +10:00
Tim Shelton 3f08d37a0e adding linux-auditd support and alignment 2022-04-20 14:31:32 +00:00
Tim Shelton 83ece8c9ca adding missing file_ entries 2022-04-13 15:57:54 +00:00
Tim Shelton bca687a1ad adding a couple more missing entries 2022-04-13 15:15:15 +00:00
Tim Shelton 500c97020f Backend: updating hawk backend config, still pending file_rename and other file_ categories 2022-04-13 14:38:18 +00:00
DustInDark 1a7e03c96b changed windows-bits-client Channel 
windows-bits-client tag converted `WinEventlog:Microsoft-Windows-Bits-Client/Operational` but other channel is not add `WinEventLog:`.

Removed "WinEventlog" to unify with other channel conversions.

ex: https://answers.microsoft.com/en-us/windows/forum/all/unknown-events-in-windowsbits-clientoperational/c0856f82-44a2-4998-9a3b-9d6eda328136
 2022-04-10 21:18:53 +09:00
Thomas Patzke 4028610580 Release 0.21 2022-04-09 00:49:38 +02:00
Tim Shelton 0a9d8fd614 Fixing missed entry for registry_set 2022-03-30 15:56:31 +00:00
phantinuss 7f030b250e fix: wrong mapping of Windows Audit Log EventID 4688 
reverts some changes introduced by commit c5fa73c328
    - removes the unnecessary/wrong field mapping
    - fixes the rules to apply to CommandLine instead of
      ParentCommandLine as the author probably intended
 2022-03-30 11:24:24 +02:00
frack113 627843d73f New registry category mapping 2022-03-26 19:36:46 +01:00
frack113 33e29b55bf New registry category 2022-03-26 19:05:38 +01:00
frack113 f1b8bc9479 Registry_add 2022-03-26 11:56:39 +01:00
frack113 fbc9e8c2df Update new registry category 2022-03-26 11:46:52 +01:00
frack113 6836d64a14 Fix space 2022-03-26 11:33:30 +01:00
frack113 fb55e0e7b3 Catagorie registry add delete 2022-03-26 11:21:53 +01:00
frack113 6daaa252c1 Update registry category 2022-03-26 11:06:11 +01:00
frack113 e2fbbb319d Categorie registry_set 2022-03-26 10:55:05 +01:00
Florian Roth 213f7fff5c refactor: make antivirus a category 2022-03-24 11:59:33 +01:00
Florian Roth baaad50c65 Delete m365.yml 2022-03-23 08:31:36 +01:00
Florian Roth 40f6361069 fix: adding product azure to tighten log source 2022-03-22 18:16:51 +01:00
Florian Roth 66b74a9b76 fix: bugs in configs 2022-03-22 18:10:35 +01:00