security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

462 Commits

Author SHA1 Message Date
albchen 1dec1a49fa Mapped OriginalFileName in DeviceProcessEvents 
Mapped OriginalFileName to ProcessVersionInfoOriginalFileName in DeviceProcessEvents. Tested and works for rules such as https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml
 2021-09-10 15:51:32 -07:00
Austin Songer a798469961 Update lacework.py 2021-09-10 09:46:57 -05:00
Thomas Patzke 51bc036dbf Merge pull request #1921 from roysjosh/azure-sentinel-arm-output 
Azure Sentinel support
 2021-09-01 22:26:42 +02:00
Thomas Patzke 3d6ad1bc0f Merge pull request #1944 from ncrqnt/elastic-subtechniques 
[Elastic] Add support for authors and subtechniques
 2021-09-01 22:25:10 +02:00
neu5ron 96c7e180fe Merge branch 'master' of https://github.com/SigmaHQ/sigma into qoutes_and_wildcards 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
 2021-08-30 16:33:33 -04:00
neu5ron 61897fa2e0 Merge branch 'master' of https://github.com/SigmaHQ/sigma into qoutes_and_wildcards 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
 2021-08-30 16:06:58 -04:00
Nico 00dec96245 Add support for subtechniques 2021-08-30 08:45:21 +02:00
Nico 5f271bf334 add author field to elastic rule 2021-08-30 08:29:07 +02:00
frack113 5f1143247b Update "sigmac -l" message 2021-08-28 08:51:58 +02:00
David Hazekamp cc6e4381b2 feat(backend): introducing lacework backend 
Adding authors
Removing todo
 2021-08-26 14:12:47 -05:00
David Hazekamp a5d175fbf7 feat(backend): introducing lacework backend 2021-08-26 14:05:44 -05:00
Joshua Roys 294bb432d0 Add Azure Sentinel backend 
The web interface expects ARM templates.
 2021-08-24 16:01:23 -04:00
Joshua Roys 829117ca7f Allow ints as values in ALA backend 
Without this, LogonType set as an int caused sigmac to abort the rule.
 2021-08-24 16:00:08 -04:00
Joshua Roys 93be8471ec Fix tactics/techniques in ALA backend 2021-08-24 15:58:21 -04:00
Thomas Patzke 3396d72d81 Merge pull request #1887 from frack113/fix_NodeSubexpression_len 
fix sigmac error "has no len()"
 2021-08-22 12:11:16 +02:00
Thomas Patzke cbf1fd213b Merge pull request #1856 from theoguidoux/sql-sqlite-fields-selection 
[Ready] SQL & SQLite rule fields selection
 2021-08-22 12:09:07 +02:00
frack113 4e895da471 fix error "has no len()" 2021-08-20 09:20:56 +02:00
Austin Songer e039f91272 Spelling 2021-08-18 19:00:57 +00:00
Theo Guidoux 2a3acd7d11 add selection flag for backward compatibility 2021-08-16 19:32:54 +02:00
Theo Guidoux c1876b9ff6 add fields from rules to query + sqlite 2021-08-16 13:33:43 +02:00
Theo Guidoux 16269c0d63 cleaner default value handling 2021-08-16 10:47:05 +02:00
Theo Guidoux 40018eef7f edit help + case where 'select=' 2021-08-16 10:44:01 +02:00
Thomas Patzke 607724278a Merge pull request #1580 from codyswanson4:master 
Update Elasticsearch Watcher backend to populate name column in Kibana
 2021-08-13 23:33:47 +02:00
Thomas Patzke f9c9f73b09 Merge pull request #1772 from eocete-devo:master 
[Devo backend] Added support for multicondition rules using Devo subqueries
 2021-08-13 23:30:04 +02:00
Thomas Patzke 32400e5d55 Merge pull request #1785 from theoguidoux:theoguidoux/sql-backend-field-selection 
Add fields selection to sql backend option
 2021-08-13 23:29:24 +02:00
Thomas Patzke 62a53ca895 Merge pull request #1835 from wietze:fix/mdatp/linux_support 
Enabling Linux/macOS support on MDATP
 2021-08-13 23:28:06 +02:00
Thomas Patzke 1b215e3aaf Merge pull request #1828 from wietze/optimisation/nesting_reduction 
Optimising lists/subexpressions with only one item
 2021-08-12 22:41:17 +02:00
Thomas Patzke 8694afe023 Merge pull request #1779 from frack113/elastalert 
Fix elastalert multi output file
 2021-08-12 22:40:36 +02:00
Wietze 17595e2443 Enabling Linux/macOS support on MDATP, fixing incorrect parent cmd mappings 2021-08-12 18:07:13 +01:00
Wietze 7ba375dea0 Optimising lists/subexpressions with length 1 
Should reduce brackets on some output targets
 2021-08-11 18:00:09 +01:00
frack113 f6980edc66 fix english : normalize 2021-08-07 11:16:24 +02:00
frack113 2333defde7 add hash_normalise option 2021-08-07 08:24:36 +02:00
Theo Guidoux b7e301b639 add field selection to sql backend option 2021-08-06 11:46:00 +02:00
RedKyper b353a10643 elastalert multi output file 2021-08-05 20:37:07 +02:00
eocete 692bc9a63a Added support for multicondition rules using Devo subqueries 2021-08-04 08:52:32 +02:00
frack113 359dd6bbb8 fix my code 2021-08-01 19:34:07 +02:00
frack113 186583f78f fix the output not the core 2021-08-01 16:14:51 +02:00
Wietze e0d6856987 [CarbonBlack] Adding extra escape character 
Hyphens, especially when at the start of a query, need escaping since hyphens are also used to negate conditions
 2021-07-29 13:57:58 +01:00
thegoatreich d14e0f1aaa add logrhythm lucene backend 
Copied and modded the es-qs backend for logrhythm's lucene syntax.
 2021-07-16 13:02:05 +01:00
Jonhnathan f6e7fc446f Remove Wildcard 2021-07-13 11:21:12 -03:00
mf1d3l 9005b58649 extend cim 2021-07-10 23:06:29 +02:00
mf1d3l 0271bc6b13 clean 2021-07-10 22:13:09 +02:00
mf1d3l b986ed0716 extend cim 2021-07-10 19:02:24 +02:00
mfidel ffadd110cb Update splunkdm.py 2021-07-10 00:03:41 +02:00
mfidel 82f8412988 Update splunkdm.py 2021-07-10 00:02:33 +02:00
mf1d3l 368388a7e6 Add Splunk Datamodel backend 2021-07-09 23:18:17 +02:00
Florian Roth 84b181d170 Revert "feat: OriginalFileName mapping in MDATP ImageLoad events" 
This reverts commit cdc434cfc4.
 2021-07-08 08:55:33 +02:00
Florian Roth cdc434cfc4 feat: OriginalFileName mapping in MDATP ImageLoad events 2021-07-07 18:22:58 +02:00
Florian Roth 400fae4dba Merge pull request #1609 from cianmcgovern/graylog-fix 
Escape spaces in graylog backend
 2021-07-04 14:20:07 +02:00
frack113 8fd81acee4 Change getRuleName() to get 'id-title' instead of ('id' or 'title') 2021-07-04 11:56:59 +02:00