security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

1105 Commits

Author SHA1 Message Date
Florian Roth ac7270ff32 Merge pull request #1669 from leegengyu/patch-11 
Update winlogbeat.yml - Imphash Field
 2021-07-12 15:37:00 +02:00
Florian Roth a16ce3b828 Merge pull request #1673 from frack113/ecs 
Add mapping for auditbeat and filebeat
 2021-07-12 15:36:07 +02:00
Thomas Patzke 0b83c12dd1 Merge branch 'devel-tp' 2021-07-12 10:21:19 +02:00
frack113 b6d2ec33cc Add mapping for auditbeat and filebeat 2021-07-12 09:00:57 +02:00
mf1d3l 9005b58649 extend cim 2021-07-10 23:06:29 +02:00
mf1d3l 681accf2ba add splunkdm to Makefile 2021-07-10 22:23:15 +02:00
mf1d3l 0271bc6b13 clean 2021-07-10 22:13:09 +02:00
mf1d3l b986ed0716 extend cim 2021-07-10 19:02:24 +02:00
G Y bdb77780b3 Update winlogbeat.yml 
Change Imphash's value as current one does not exist without the Sysmon processor module under Winlogbeat.
 2021-07-10 11:37:36 +08:00
G Y cb2985df75 Update winlogbeat-modules-enabled.yml 
Replaced mapping for Imphash (based on Winlogbeat's Sysmon processor module).
 2021-07-10 10:51:05 +08:00
mfidel ffadd110cb Update splunkdm.py 2021-07-10 00:03:41 +02:00
mfidel 82f8412988 Update splunkdm.py 2021-07-10 00:02:33 +02:00
mf1d3l 368388a7e6 Add Splunk Datamodel backend 2021-07-09 23:18:17 +02:00
Ibrahim Ali Khan 8bf07b3575 Create ala-azure-ad_auditlogs.yml 
Azure AD Audit Logs mapping for Azure Log Analytics
 2021-07-08 20:40:39 +05:00
Ibrahim Ali Khan 7bba239f56 Create ala-azure-activitylogs.yml 
Azure Activity Logs mapping for Azure Log Analytics
 2021-07-08 20:40:03 +05:00
Ibrahim Ali Khan 6849aba266 Create ecs-azure-ad_auditlogs.yml 
Azure AD Audit Logs Elasticsearch ecs mapping
 2021-07-08 20:39:05 +05:00
Ibrahim Ali Khan 25dd14829e Create ecs-azure-activitylogs.yml 
Azure Activity Logs Elasticsearch ecs mapping
 2021-07-08 20:37:12 +05:00
Florian Roth a6952540c9 Merge pull request #1659 from SigmaHQ/config-adjustments 
refactor: THOR config adjustments
 2021-07-08 15:37:04 +02:00
Florian Roth 5e7f1f3a36 refactor: THOR config adjustments 2021-07-08 14:51:49 +02:00
Thomas Patzke 09c8d42c03 Deleted Sysmon config which doesn't makes sense 2021-07-08 07:31:49 +02:00
Florian Roth cdc434cfc4 feat: OriginalFileName mapping in MDATP ImageLoad events 2021-07-07 18:22:58 +02:00
frack113 4e3b275056 Fix more windows fields name 2021-07-07 12:28:00 +02:00
frack113 5c9ca35bb6 Add the last missing 2021-07-07 09:10:50 +02:00
frack113 e76f30d59c Add some missing fields mapping 2021-07-06 15:56:33 +02:00
Florian Roth 400fae4dba Merge pull request #1609 from cianmcgovern/graylog-fix 
Escape spaces in graylog backend
 2021-07-04 14:20:07 +02:00
frack113 8fd81acee4 Change getRuleName() to get 'id-title' instead of ('id' or 'title') 2021-07-04 11:56:59 +02:00
Cian Mc Govern 7fca08e5bd Escape spaces in graylog backend 2021-07-02 21:56:08 +01:00
Florian Roth 06ab553d25 Merge pull request #1604 from SigmaHQ/rule-devel 
Config: Splunk fix log sources prefix, THOR PS classic
 2021-07-02 15:39:22 +02:00
Florian Roth ba94b8396c config: thor - powershell classic 2021-07-02 14:14:48 +02:00
Florian Roth 03e2b9d376 fix: missing "WinEventLog:" in splunk-windows.yml 2021-07-02 14:13:12 +02:00
Florian Roth 825ff5520b Merge pull request #1597 from SigmaHQ/rule-devel 
config: add PrintService Operational
 2021-07-01 10:27:43 +02:00
Florian Roth 63f3fd7e73 config: add PrintService Operational 2021-07-01 09:55:15 +02:00
Florian Roth 19962c6fe4 Merge pull request #1590 from SigmaHQ/rule-devel 
config: mappings for Microsoft print service
 2021-06-30 14:50:52 +02:00
Florian Roth a49bfb14dd refactor: Admin log - not Operational 2021-06-30 14:22:40 +02:00
Florian Roth 26cfbb9c34 config: mapping for Microsoft SMBClient service - security 2021-06-30 14:16:26 +02:00
Florian Roth 8262a1d98b config: mappings for Microsoft print service 2021-06-30 14:09:44 +02:00
frack113 f2b24ea6a3 Add support for action yml 2021-06-29 17:45:59 +02:00
frack113 bb8fe7f3b8 Add --output-extention if you want a custom output file extention (.ndjson,.txt,.splunk,..) 2021-06-29 08:13:48 +02:00
frack113 b26fc228b4 update help and add '/' or '\\' for surfix 2021-06-28 21:25:51 +02:00
frack113 831654a57a Add a way to have a output prefix 2021-06-28 19:27:20 +02:00
Cody Swanson ab3a54c336 Update Elasticsearch Watcher backend to populate name field in alert metadata 2021-06-27 12:08:45 -07:00
Florian Roth abe353de66 Merge pull request #1561 from frack113/es_rule_add_more_tag 
add multi custom tag for issue #1560
 2021-06-25 12:25:28 +02:00
Florian Roth 2ad6401487 Merge pull request #1565 from SpeedyFireCyclone/powershell_fieldmappings 
Generic remapping for PowerShell backend
 2021-06-25 12:21:00 +02:00
Florian Roth 537d89d185 Merge pull request #1575 from SigmaHQ/rule-devel 
rules: PurpleSharp, WMIC ActiveScriptEventConsumer
 2021-06-25 12:15:35 +02:00
eocete bfbd1c6487 Merge remote-tracking branch 'upstream/master' into master 2021-06-21 14:11:39 +02:00
eocete 4b92dbb90d master: Added new Devo backend for the sigmac tool. Added three new backend configurations to support the Devo backend. Added a new test suite to cover the Devo backend cases. 2021-06-21 14:06:04 +02:00
Remco Hofman a18c3952d9 More generic remapping for PowerShell backend 2021-06-20 07:58:01 +02:00
frack113 1f2c93a4e7 add multi custom tag for issue #1560 2021-06-17 08:05:44 +02:00
Florian Roth ae06ebcae0 Merge pull request #1551 from xg5-simon/xg5-simon 
Support for VMware Carbon Black Cloud EEDR
 2021-06-10 18:35:16 +02:00
Florian Roth bf40b64f91 docs: better title in crowdstrike config 2021-06-10 17:07:01 +02:00