security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

1105 Commits

Author SHA1 Message Date
Brad Kish 203aa192c7 Fix multiple references to default field mapping in same rule 
If there is a default mapping specified for a fieldmapping and that field is
referenced multiple times in the rule, the default mapping will be "pop"ped
and return the unmapped key on subsequent uses.

Don't pop the value. Just return the first entry.
 2020-06-18 13:01:31 -04:00
Florian Roth d371fd864c Merge pull request #834 from ebeahan/elastic-updates 
Elastic section updates
 2020-06-13 10:04:49 +02:00
Thomas Patzke f907c49ab5 Improved test coverage 
* Added test case
* Removed unused code
 2020-06-13 01:11:08 +02:00
Thomas Patzke b129556388 Automatic inclusion of all configuration files 2020-06-13 00:04:45 +02:00
Thomas Patzke 80e8f0e5fa Release 0.17.0 2020-06-12 23:52:06 +02:00
Thomas Patzke 24d83b80cd Merge branch 'script_entry_points' 2020-06-12 23:13:11 +02:00
Eric Beahan bba0b2d851 Elastic documentation improvements 2020-06-12 13:40:39 -05:00
Nate Guagenti aac1af1832 typo, was missing the = and *. 
also, show option when using case insensitive for everything, how to "exclude" a field from that regex.

Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-06-12 11:37:32 -04:00
Simen Lybekk bbcbed4742 Add parentheses about field list groups in CB 
This should address the grouping issue from #660.
The grouping issue was solved by just slamming some parentheses around the fields in the listExpression field.
 2020-06-11 15:33:02 +02:00
Steven Goossens 423baafa2a Added rules for different sysmon categories and added the category definition 2020-06-10 15:02:15 +02:00
Thomas Patzke 915ea1cc67 Merge branch 'script_entry_points' into master 2020-06-10 00:51:47 +02:00
Florian Roth 565febd39d README updated 2020-06-09 23:25:09 +02:00
Nate Guagenti f4fe425fa7 update readme for some analyzed field and keyword field examples 2020-06-09 16:53:50 -04:00
Thomas G 8c61dc9248 Add more Options for XPackWatcherBackend (Elasticsearch) 
Add action_throttle_period, mail_from adn mail_profile to the XPackWatcherBackend (Elasticsearch)
 2020-06-09 20:57:26 +02:00
Nate Guagenti 117ceac492 moved file to ecs-zeek-elastic-beats-implementation.yml 2020-06-09 08:56:01 -04:00
Christian Clauss dff7efc173 Update collection.py 2020-06-08 13:55:52 +02:00
Christian Clauss 55c0a03564 Undefined name: from .exceptions import SigmaCollectionParseError 
Discovered in #378.  `SigmaCollectionParseError()` is called on line 55 but it is never defined or imported which means that NameError will be raised instead of SigmaCollectionParseError.
 2020-06-08 13:55:16 +02:00
Florian Roth 94b90adf10 docs: move Sigmac help from Wiki to repo 2020-06-07 12:18:37 +02:00
Thomas Patzke 36a7077648 Moved tool executables to new location 2020-06-07 01:14:04 +02:00
Thomas Patzke a7d18c7ed9 Converted sigma2attack and added to entry points 2020-06-07 01:03:09 +02:00
Thomas Patzke 8688e8a2a1 Script entrypoint stubs 2020-06-07 00:22:59 +02:00
Thomas Patzke 7d70cd95a4 Deduplicated backend list 2020-06-06 01:03:02 +02:00
Thomas Patzke fb9855bd3b Added description to es-rule backend 2020-06-06 01:02:44 +02:00
Thomas Patzke 1d211565fc Moved backend options list to --backend-help 2020-06-06 00:56:00 +02:00
Thomas Patzke c992dc5215 Improved test coverage 2020-06-05 23:33:51 +02:00
Thomas Patzke 5d88d97c73 Merge branch 'improvements/improved_mdatp_mappings' of https://github.com/wietze/sigma into wietze-improvements/improved_mdatp_mappings 2020-06-05 23:03:52 +02:00
Jonas Plum 3a6ac5bd5c Remove unused function 2020-05-30 01:57:06 +02:00
Jonas Plum 70935d26ce Add license header 2020-05-29 23:56:05 +02:00
Jonas Hagg dedfb65d63 Implemented Aggregation for SQL, Added SQLite FullTextSearch 2020-05-25 11:58:55 +02:00
Thomas Patzke daf7ab5ff7 Cleanup: removal of corelight_* backends 2020-05-24 22:41:38 +02:00
Thomas Patzke d45f8e19fe Fixes 2020-05-24 21:46:55 +02:00
Thomas Patzke 32e4998c49 Removed dead code from ALA backend. 2020-05-24 21:45:37 +02:00
Thomas Patzke 24b08bbf30 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 17:06:32 +02:00
Thomas Patzke 8d9b706d6a Merge pull request #727 from 3CORESec/master 
Override Features
 2020-05-20 19:11:56 +02:00
vh e8b956f575 Updated config 2020-05-20 12:35:00 +03:00
neu5ron 9e272d37b7 zeek category update and minor field updates 2020-05-19 05:02:45 -04:00
neu5ron 177f0a783b winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00
~noyan 2b72ee7b84 partial(?) fix of #762 2020-05-16 14:51:58 +03:00
Tiago Faria 2893becf8c Merge remote-tracking branch 'upstream/master' 2020-05-14 14:02:20 +01:00
Remco Hofman 37b08543ac Updated author reference in license 2020-05-11 11:47:56 +02:00
vh fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Remco Hofman dc96b7ffb3 Removed dependency on slugify 2020-05-08 11:40:16 +02:00
Remco Hofman c5be83eb01 Added ee-outliers backend 2020-05-08 10:18:35 +02:00
Thomas Patzke 3b96b5e497 Merge pull request #723 from neu5ron/socprime_add_zeek_and_corelight 
sigmacs for Zeek and Corelight(Zeek)
 2020-05-06 23:22:14 +02:00
Remco Hofman 24029a8f27 Fix for broken endswith modifier 2020-05-06 17:10:54 +02:00
pdr9rc 31ad81874f capitalized titles 
corrected capitalization of titles and removed literals from config
 2020-05-05 11:32:18 +01:00
pdr9rc aa175a7d5b wip 
wip
 2020-05-04 18:02:27 +01:00
pdr9rc dd9e128a15 kibana target update 
kibana target now compatible with overrides
 2020-05-04 17:35:12 +01:00
pdr9rc b32093e734 Merge remote-tracking branch 'upstream/master' 
Keeping up with the sigmas.
 2020-05-04 17:26:51 +01:00
pdr9rc b3194e66c4 Update base.py 2020-05-04 16:37:36 +01:00