security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

23 Commits

Author SHA1 Message Date
albchen 1dec1a49fa Mapped OriginalFileName in DeviceProcessEvents 
Mapped OriginalFileName to ProcessVersionInfoOriginalFileName in DeviceProcessEvents. Tested and works for rules such as https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_renamed_binary.yml
 2021-09-10 15:51:32 -07:00
Wietze 17595e2443 Enabling Linux/macOS support on MDATP, fixing incorrect parent cmd mappings 2021-08-12 18:07:13 +01:00
Florian Roth 84b181d170 Revert "feat: OriginalFileName mapping in MDATP ImageLoad events" 
This reverts commit cdc434cfc4.
 2021-07-08 08:55:33 +02:00
Florian Roth cdc434cfc4 feat: OriginalFileName mapping in MDATP ImageLoad events 2021-07-07 18:22:58 +02:00
Remco Hofman 0aa05f53e9 MDATP ServiceInstalled event mapping 2021-06-03 21:43:52 +02:00
Wietze 30c6d753fd Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze fb1bb91c3c Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
albchen 42e82c95df Updated for use with Image Load events 
Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.
 2021-03-18 15:49:25 -07:00
Chris Brake 4aa7505b40 Updated fields to align with MS Advanced Threat Hunting Schema. Standardised and sorted fields across schemas. 2021-02-04 11:54:29 +00:00
Simen Lybekk c0a7cdc3de mdatp: Use case-insensitive searches by default 
This sohuld match the draft Sigma specification as well as other backends
 2020-11-12 14:09:30 +01:00
Simen Lybekk a75d4fb561 mdatp: Add more field mappings and table<->generic event mappings, skip IMPHASH as it's not supported 2020-11-12 13:15:38 +01:00
vh 383823f49a Fix: added default value of current_table 2020-10-21 10:12:17 +03:00
vh 51df5ad876 Added: 
Sumo Logic CSE Rule Backend

Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
 2020-10-06 15:07:52 +03:00
Chris Brake 6ed1ea6509 Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType 2020-06-30 14:49:29 +01:00
Thomas Patzke c992dc5215 Improved test coverage 2020-06-05 23:33:51 +02:00
Thomas Patzke 5d88d97c73 Merge branch 'improvements/improved_mdatp_mappings' of https://github.com/wietze/sigma into wietze-improvements/improved_mdatp_mappings 2020-06-05 23:03:52 +02:00
vh fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Wietze 2b3828730c Reversed disabling FileDelete 2020-05-02 17:31:50 +01:00
Wietze e5574e07f2 Disabled FileDelete event (Sysmon 11 - no rules available yet) 2020-05-02 16:21:56 +01:00
Wietze 5abf4cbea9 Reordered fields 2020-05-02 14:46:55 +01:00
Wietze 661108903b Minor consistency fix 2020-05-02 14:37:37 +01:00
Wietze 46737cbfd3 Improved Microsoft ATP mapping, using Advanced Hunting Schema 
See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference
 2020-05-02 14:31:02 +01:00
David Szili 0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00