security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
9,335 Commits 1 Branch 57 Tags
fb167c5698ff01a30d2ada8eaa53c4e2dee2e54a
Commit Graph

1265 Commits

Author SHA1 Message Date
Max Altgelt b4553dcd9d feat: Add finer powershell log source distinguation 
Credits for this go to @frack113
 2021-12-13 09:49:28 +01:00
frack113 87b2f45db6 Merge pull request #2401 from hazedav/master 
feat(sigma): Add support for Lacework agent data
 2021-12-10 18:04:07 +01:00
frack113 bd90531f65 Merge pull request #2424 from redsand/hawk_add_translate 
hawk backend: fixing err where regex is mangled and should be left alone
 2021-12-10 06:45:25 +01:00
Tim Shelton d58bf20e4c fixing err where regex is mangled and should be left alone 2021-12-09 20:43:58 +00:00
Tim Shelton d1b7eda60c adding translation for User, apparently its case sensitive 2021-12-09 20:04:20 +00:00
David Hazekamp 5d46d5fe46 Merge remote-tracking branch 'upstream/master' 2021-12-07 11:17:32 -06:00
hazedav 73f69c6697 feat(sigma): Add support for Lacework agent data 
Support linux.file_create
Support linux.process_creation
 2021-12-07 11:16:26 -06:00
Tim Shelton 3b7ce140c1 adding ps_module to config.. currently not listed in any config yaml for backends, will trigger regex detection on all payloads 2021-12-07 16:18:00 +00:00
Florian Roth d2e77a5cd0 Merge pull request #2392 from redsand/hawk_fix_regex_type 
fixes error when implementing regex type, data should not be escaped
 2021-12-07 06:15:10 +01:00
Tim Shelton 1937a90cbf fixing yaml err 2021-12-06 23:03:24 +00:00
Tim Shelton 7a7cf4ede6 fix str err 2021-12-06 22:32:10 +00:00
Tim Shelton 8871898adf fixing yaml fail 2021-12-06 22:05:13 +00:00
Tim Shelton ea511bd761 adding file event filter 2021-12-06 20:50:20 +00:00
Tim Shelton 76a3dda786 fixes error when implementing regex type, data should not be escaped 2021-12-06 20:22:14 +00:00
stbe be579910bb Logsource condition applied once in nested expression 2021-12-06 14:23:51 +01:00
Tim Shelton a38f98a3be adding translation of provider_name to channel 2021-12-02 20:35:25 +00:00
Tim Shelton 48f592fc41 reducing scores for informational levels and adding field translation for user 2021-12-01 17:25:23 +00:00
Tim Shelton e0e3e42c77 adding fix to begins/ends with feature 2021-12-01 16:39:25 +00:00
Tim Shelton 621f629390 adds support for begins and ends with 2021-12-01 16:10:13 +00:00
Tim Shelton df315f5e08 enforcing snake case per hawk-analyticsd specs 2021-12-01 15:51:22 +00:00
Tim Shelton caf47a9e3d reducing score minus 5 for lows... will need a multitude 2021-12-01 14:33:28 +00:00
Tim Shelton b3a9e05a59 Merge branch 'master' of https://github.com/redsand/sigma into hawk_webserver_category 2021-12-01 14:26:35 +00:00
Florian Roth e43d7f7e0e Merge pull request #2357 from redsand/hawk_backend_fix_added_double_backslash_from_sigmac 
Fixing added backslashes that are generated by sigma backend
 2021-12-01 15:11:32 +01:00
Tim Shelton 6927b0e69f Fixing added backslashes that are generated by sigma backend 2021-12-01 13:29:15 +00:00
frack113 00560f3162 Add zircolite config 2021-11-30 19:10:14 +01:00
Tim Shelton 790755e753 adding webserver as filter for sigma config 2021-11-30 16:33:54 +00:00
Tim Shelton fff12a3461 adding antivirus filter for vendor_type.. was matching against our fim data 2021-11-23 18:14:51 +00:00
Tim Shelton ad75a9a5bf updating hawk backend to provide additional tag enrichment. helps manage the state of each sigma rule, if experimental or not 2021-11-23 16:57:43 +00:00
frack113 4425f9cbcd Update sigma2attack.py 2021-11-20 19:59:57 +01:00
frack113 17296b4f5c Fix score error 2021-11-20 11:13:18 +01:00
frack113 1186982172 Add missing info 2021-11-20 10:10:17 +01:00
frack113 64d7386b9d Update and fix sigma2attack 2021-11-20 09:55:51 +01:00
redsand (Tim Shelton) bc334ab456 Hawk backend support for wildcard in middle of string (#2273) 
* updating yaml cfg for ms eventlog support

* update config and sigma backend, so that comments are not replaced, but rather the details of the record

* updating scriptblocktext to value

* adding a few missing ip address translations

* Fixing error when handling comparisons of null values, and additional fix of lack of support for not

* adding additional translations for missing category entries

* fixing error when handling list of ors with a not indicator

* finishes support for windows translations, pending qa

* adding dedupe feature and additional translation fix for dns-server

* adding image_loaded translation

* forced to pull back on the aggressive deduping, caused some inaccuracies

* adding more ux friendly formatting for regex

* adds support for wildcards in middle of strings

* adding a missing null check for supporting null matching

* adding cisco, av, and django cfg in yaml. updated apache in yaml and added another translation for ip_dport
 2021-11-18 06:29:41 +01:00
Sven Scharmentke c09b1861ec Merge branch 'SigmaHQ:master' into feature/uberagent-compat-6.2 2021-11-17 16:30:05 +01:00
Thomas Patzke ad647a6ecb Merge pull request #2240 from Entropy0/bugfix/condition-type-inheritance 
fix condition token inheritance
 2021-11-15 23:43:53 +01:00
Thomas Patzke cdaefbff69 Merge pull request #2265 from SigmaHQ/fix-ids 
Additional characters in identifier token
 2021-11-15 23:26:28 +01:00
Thomas Patzke aa47b88326 Merge pull request #2264 from roysjosh/fix-agg-ge-le 
Fix aggregation GE/LE
 2021-11-15 22:51:14 +01:00
Thomas Patzke 068255fc82 Additional characters in identifier token 2021-11-15 22:46:22 +01:00
Joshua Roys 87f919d0bc Fix aggregation GE/LE 
List longest matches first otherwise they will never match.
 2021-11-15 15:57:46 -05:00
wagga40 a8d00385c3 Fix double quotes escaping and values with commas in SQLite/SQL backends 2021-11-11 20:55:01 +01:00
frack113 8b419b8f07 Merge pull request #2247 from frack113/fix_field 
Fix rule field name
 2021-11-11 08:51:52 +01:00
redsand (Tim Shelton) a9b49679d3 Updates to hawk sigmac backend (#2244) 
Updated HAWK sigma backend
 2021-11-11 08:01:53 +01:00
ZikyHD 510da0085e Update sysmon.py (#2234) 
Update sysmon.py  and merge from master
 2021-11-10 20:43:13 +01:00
frack113 b7b1ebf772 Fix LogonId - SubjectLogonId 2021-11-10 19:12:51 +01:00
frack113 ee4082b50d Merge pull request #2242 from frack113/fix_ProcessCommandLine 
Fix process command line
 2021-11-10 08:09:06 +01:00
frack113 a089a83794 Merge pull request #2238 from frack113/fix_logsource 
Fix logsource
 2021-11-10 08:08:40 +01:00
frack113 ca17949d85 Merge pull request #2237 from frack113/m365 
standardization m365
 2021-11-10 08:08:10 +01:00
frack113 c5fa73c328 fix ProcessCommandLine to ParentCommandLine 2021-11-09 16:13:29 +01:00
Entropy0 c7259b6196 fix condition token inheritance 
Without this fix, isinstance(ConditionOR(), ConditionAND) yields True
 2021-11-09 13:19:53 +01:00
David Vassallo e1ecd379fa Update elk-winlogbeat.yml 
Adding "RelativeTargetName" since it's used by `win_lm_namedpipe.yml`
 2021-11-09 13:38:31 +02:00