security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

1105 Commits

Author SHA1 Message Date
Florian Roth ae05e8eb11 Merge pull request #935 from SanWieb/933-EventID-process_creation 
Revert "Ref #933 - Added windows Process Creation to config"
 2020-07-16 14:32:19 +02:00
Sander 94272c7770 Revert "Ref #933 - Added windows Process Creation to config" 
This reverts commit 6c35a7afa0.
 2020-07-16 14:30:17 +02:00
Florian Roth 80e6e933a9 Merge pull request #934 from SanWieb/933-EventID-process_creation 
Proposed fix for #933
 2020-07-16 13:38:12 +02:00
Sander 6c35a7afa0 Ref #933 - Added windows Process Creation to config 2020-07-16 13:16:57 +02:00
Aidan Bracher e0476d5ce6 Merge branch 'master' of git://github.com/Neo23x0/sigma 2020-07-15 16:35:29 +01:00
Aidan Bracher 1e5ee5823c Fix for indentation issue 
Wrong indentation of line 182 meant that even where config options
were given, the default per backend was being used, rendering
custom config useless.
 2020-07-15 16:29:27 +01:00
Florian Roth c7e412788a Merge pull request #924 from Neo23x0/devel 
Live MITRE ATT&CK data from TAXI service in Test Scripts
 2020-07-14 18:15:29 +02:00
Florian Roth 71e66ea9ba refactor: tests use live data from MITRE's TAXI service 2020-07-14 17:54:02 +02:00
Pushkarev Dmitry 6c999df3b7 Added AppLocker log source 2020-07-13 20:48:06 +00:00
Pushkarev Dmitry 8e3f973e69 Added AppLocker log source 2020-07-13 20:46:49 +00:00
Pushkarev Dmitry bdfb646228 Added AppLocker log source 2020-07-13 20:45:30 +00:00
Pushkarev Dmitry 364af53902 Added AppLocker log source 2020-07-13 20:44:03 +00:00
Pushkarev Dmitry 326cf05a74 Added AppLocker log source 2020-07-13 20:41:54 +00:00
Pushkarev Dmitry 46a6183745 Added AppLocker log source 2020-07-13 20:32:03 +00:00
Pushkarev Dmitry a58e037509 Added AppLocker log source 2020-07-13 20:30:02 +00:00
Pushkarev Dmitry 7fb2e2b845 Added AppLocker log source 2020-07-13 20:29:13 +00:00
Pushkarev Dmitry e376948258 Added AppLocker log source 2020-07-13 20:27:52 +00:00
Pushkarev Dmitry 0d925896b9 Added AppLocker log source 2020-07-13 20:23:42 +00:00
Pushkarev Dmitry c30a256030 Added AppLocker log source 2020-07-13 20:21:46 +00:00
Pushkarev Dmitry 1da229e3a9 Added AppLocker log source 2020-07-13 20:20:28 +00:00
Pushkarev Dmitry 3a19e3cf23 Added AppLocker log source 2020-07-13 20:18:01 +00:00
bar ca7cf8478d - IntegrityLevel mapping to integritylevel 2020-07-08 19:37:24 +03:00
bar 8855a87dbf - TargetProcessAddress mapping should be as startaddress mapping 
- remove extra '-'
 2020-07-08 17:35:57 +03:00
bar 8889ae21ca DestinationPort to network-traffic:dst_port mapping fix 2020-07-08 14:31:04 +03:00
bar 50ef79b398 Custom STIX object "x-sigma" for fields that missing mapping, so the pattern is STIX valid 2020-07-08 14:09:26 +03:00
Thomas Patzke 9bcff522b6 Merge branch 'master' of https://github.com/rashimo/sigma into pr-709 2020-07-07 23:12:03 +02:00
bar acbab2db4b stix backend + mapping configurations for windows logs and qradar 2020-07-07 15:04:16 +03:00
Florian Roth c8ca55b3e4 fix: duplicate wrong old key 2020-07-06 17:14:59 +02:00
Florian Roth cc31ed8b84 fix: missing NTLM log source in THOR 2020-07-06 17:07:06 +02:00
Thomas Patzke 939156fa6d Introduced dns_query log source category 2020-07-05 23:29:51 +02:00
Thomas Patzke 0df21289a0 Merge branch 'dns-fixes' of https://github.com/rtkbkish/sigma into pr-893 2020-07-05 23:24:56 +02:00
Thomas Patzke 57cb255208 Merge pull request #864 from cclauss/patch-3 
Fix undefined names in sigma2misp.py
 2020-07-05 23:16:22 +02:00
Brad Kish 8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Florian Roth 6420820eb2 Merge pull request #871 from Christopolos94/master 
Update to mdatp backend
 2020-07-03 11:29:01 +02:00
Thomas Patzke 43e5ae5d24 Added Windows NTLM log source + fixes 2020-07-02 23:20:36 +02:00
Florian Roth 9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Chris Brake 6ed1ea6509 Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType 2020-06-30 14:49:29 +01:00
j91321 ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Christian Clauss 9dc3940c07 Fix undefined names in sigma2misp.py 
create_new_event() -> create_new_event(args, misp) to fix:

flake8 testing of https://github.com/Neo23x0/sigma on Python 3.8.3

% _flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics_
```
./tools/sigma/sigma2misp.py:11:16: F821 undefined name 'misp'
    if hasattr(misp, "new_event"):
               ^
./tools/sigma/sigma2misp.py:12:16: F821 undefined name 'misp'
        return misp.new_event(info=args.info)["Event"]["id"]
               ^
./tools/sigma/sigma2misp.py:12:36: F821 undefined name 'args'
        return misp.new_event(info=args.info)["Event"]["id"]
                                   ^
./tools/sigma/sigma2misp.py:14:13: F821 undefined name 'misp'
    event = misp.MISPEvent()
            ^
./tools/sigma/sigma2misp.py:15:18: F821 undefined name 'args'
    event.info = args.info
                 ^
./tools/sigma/sigma2misp.py:16:12: F821 undefined name 'misp'
    return misp.add_event(event)["Event"]["id"]
           ^
6     F821 undefined name 'misp'
6
```
 2020-06-28 07:02:41 +02:00
Thomas Patzke 0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00
Thomas Patzke 89ed9f3763 Merge pull request #819 from cclauss/patch-2 
Undefined name: from .exceptions import SigmaCollectionParseError
 2020-06-28 00:37:09 +02:00
Thomas Patzke 09378b5ebf Fixed unsupported attempt to index a set 2020-06-28 00:27:33 +02:00
Thomas Patzke 415f826ece Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop 2020-06-28 00:09:39 +02:00
Thomas Patzke b1e4f44c21 Merge pull request #823 from Kuermel/master 
Add more Options for XPackWatcherBackend (Elasticsearch)
 2020-06-28 00:03:04 +02:00
Thomas Patzke d1f37bdbd4 Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Thomas Patzke de5e453e19 Merge pull request #831 from 404d/cbr-backend-tweaks 
Add parentheses around field list groups in CB
 2020-06-27 23:39:57 +02:00
Florian Roth da46ff6e93 docs: descriptions for source configs 2020-06-25 13:59:51 +02:00
Florian Roth 825bda397d desc: better descriptions in help for backends and configurations 2020-06-25 13:21:43 +02:00
Florian Roth 07c0a6558e fix: wording on sysmon mapping file 2020-06-24 17:49:42 +02:00
Florian Roth f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00