227eefc985
Merge pull request #3128 from f-block/patch-2
...
ProviderName seems to be wrong
2022-06-14 20:58:11 +02:00
e10a9f0257
Re-added powershell related "ProviderName" mapping
2022-06-14 20:48:36 +02:00
1e0a9fd8c1
Mapping name "Provider_Name" instead of "ProviderName"
...
The mapping identifier `ProviderName` doesn't occur in any windows rule (except one: `powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml`).
Instead, the identifier `Provider_Name` is used.
2022-06-14 18:17:35 +02:00
06234d831d
ProviderName seems to be wrong
...
`ProviderName: winlog.event_data.ProviderName` seems to be wrong (at least in our case). Actually, the mapping from the `winlogbeat-modules-enabled.yml` would be correct, but we definitely don't use the modules (the other mappings don't apply). Maybe the two got mixed up? Can't verify it for the modules config, but at least the `winlogbeat.yml` does seem to have this mapping wrong.
2022-06-14 17:45:36 +02:00
b6ecf5cffd
Fixes typo for TargetServerName mapping
2022-06-14 17:40:33 +02:00
6bd09ec054
Merge pull request #3114 from hazedav/self-join-filter
...
feat(backend): support for parent process filters
2022-06-09 08:16:13 +02:00
c1b5551486
feat(backend): bump lacework config version
2022-06-08 23:41:54 -05:00
fea9602210
feat(backend): support for parent process filters
2022-06-08 23:39:32 -05:00
4d7d0b3235
backend - updating hawk backend with additional translations
2022-06-08 19:04:37 +00:00
323298ba91
fix(backend): use subexp when OR list items
2022-06-03 14:54:35 -05:00
3fdaf8b9f1
Support alternate case for OriginalFileName.
2022-05-27 11:01:22 -07:00
662c13a720
Merge pull request #3035 from redsand/hawk_backend_cfg_update
...
Backend: adding additional entries to hawk.yml
2022-05-24 12:33:11 +02:00
b339901806
Backend: because hawk splits up SYSTEM and NT AUTHORITY, additional treatment is needed on some rules
2022-05-23 23:52:52 +00:00
6ca03d741b
adding additional file hash column translation
2022-05-23 21:11:34 +00:00
605a0bc678
Backend: adding additional entries to hawk.yml
2022-05-23 18:46:50 +00:00
ab7d7dbed8
Update sysmon.yml
...
typo in config
2022-05-20 13:47:18 +04:00
01ffec65fe
Merge pull request #2994 from ablescia/feat-hedera_backend
...
Hedera Backend - C# dynamic LINQ
2022-05-18 23:23:51 +02:00
232fd9ad17
removing duplicate
2022-05-10 13:19:22 +00:00
ad727e11e9
adding additional zeek categories to sort out false positive matching
2022-05-10 03:39:16 +00:00
c64197233d
fixing error in translation
2022-05-10 02:19:23 +00:00
50a4a02364
adding additional field with ip_src as initial cardinal
2022-05-10 01:51:37 +00:00
8674e26218
adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example
2022-05-10 01:50:46 +00:00
278e825794
fixing hawk backend fields for zeek. wrong character
2022-05-10 01:45:17 +00:00
0709758651
Adding updates for zeek, as well as some missing sections for windows. internal review of rules will continue.
2022-05-09 23:23:35 +00:00
6aa0064c28
adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples
2022-05-09 23:23:07 +00:00
feca339bfc
created hedera backend file
2022-05-08 15:59:14 +02:00
bd51eb4c72
adding additional filter for string
2022-05-04 15:27:23 +00:00
ad003de3fb
Fixing mismatch of sigs when using system/app/security and additional matching against provider name
2022-05-04 14:58:02 +00:00
9d7a7f7896
Add StreamAlert backend
2022-05-03 17:32:19 +07:00
102a45a215
adding support for terminal services-localsessionmanager
2022-04-29 14:29:05 +00:00
f695443c4c
Merge pull request #2969 from SigmaHQ/new-source-terminalservices
...
New source terminalservices
2022-04-29 13:25:12 +02:00
43f3a31d19
feat: new service definition - terminal services
2022-04-29 12:26:26 +02:00
eb0bcd7c9f
updating hawk field translation, and bug when an author field is not present in a sig
2022-04-28 19:54:00 +00:00
4442bb6982
Removed empty line
2022-04-28 13:18:11 +10:00
9275d33ab2
Add timeframe to search for Devo
...
Modified search to include a timeframe option.
2022-04-28 13:14:41 +10:00
3f08d37a0e
adding linux-auditd support and alignment
2022-04-20 14:31:32 +00:00
83ece8c9ca
adding missing file_ entries
2022-04-13 15:57:54 +00:00
bca687a1ad
adding a couple more missing entries
2022-04-13 15:15:15 +00:00
500c97020f
Backend: updating hawk backend config, still pending file_rename and other file_ categories
2022-04-13 14:38:18 +00:00
1a7e03c96b
changed windows-bits-client Channel
...
windows-bits-client tag converted `WinEventlog:Microsoft-Windows-Bits-Client/Operational` but other channel is not add `WinEventLog:`.
Removed "WinEventlog" to unify with other channel conversions.
ex: https://answers.microsoft.com/en-us/windows/forum/all/unknown-events-in-windowsbits-clientoperational/c0856f82-44a2-4998-9a3b-9d6eda328136
2022-04-10 21:18:53 +09:00
4028610580
Release 0.21
2022-04-09 00:49:38 +02:00
0a9d8fd614
Fixing missed entry for registry_set
2022-03-30 15:56:31 +00:00
7f030b250e
fix: wrong mapping of Windows Audit Log EventID 4688
...
reverts some changes introduced by commit c5fa73c328
2022-03-30 11:24:24 +02:00
627843d73f
New registry category mapping
2022-03-26 19:36:46 +01:00
33e29b55bf
New registry category
2022-03-26 19:05:38 +01:00
f1b8bc9479
Registry_add
2022-03-26 11:56:39 +01:00
fbc9e8c2df
Update new registry category
2022-03-26 11:46:52 +01:00
6836d64a14
Fix space
2022-03-26 11:33:30 +01:00
fb55e0e7b3
Catagorie registry add delete
2022-03-26 11:21:53 +01:00
6daaa252c1
Update registry category
2022-03-26 11:06:11 +01:00
frack113