security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Austin Songer dc386a2ead Create gcp_bucket_enumeration.yml 2021-08-14 21:56:29 -05:00
Austin Songer 980954751e Create gcp_bucket_modified_or_deleted.yml 2021-08-14 21:53:56 -05:00
Austin Songer 872c54bc0c Update gcp_full_network_traffic_packet_capture.yml 2021-08-14 16:50:11 -05:00
Austin Songer d407a3dd4f Update gcp_firewall_rule_modified_or_deleted.yml 2021-08-14 16:24:50 -05:00
Austin Songer 885bbefe73 Update gcp_full_network_traffic_packet_capture.yml 2021-08-14 16:21:16 -05:00
frack113 3900ba9e2c add license test 2021-08-14 19:42:29 +02:00
frack113 db0de126a5 test author for Detection Rule License 1.1 2021-08-14 19:16:36 +02:00
frack113 e45557316e Fix selection with only 1 element 2021-08-14 09:54:27 +02:00
Thomas Patzke 5c4fd3a122 Release 0.20 0.20 2021-08-14 00:25:12 +02:00
Austin Songer 6ee9fc9bd6 Update gcp_firewall_rule_modified_or_deleted.yml 2021-08-13 17:08:58 -05:00
Austin Songer c4b41f8d66 Update gcp_full_network_traffic_packet_capture.yml 2021-08-13 17:07:48 -05:00
Austin Songer a973c6c445 Create gcp_full_network_traffic_packet_capture.yml 2021-08-13 17:07:18 -05:00
Austin Songer 7479dcd15d Update gcp_firewall_rule_modified_or_deleted.yml 2021-08-13 16:51:58 -05:00
Austin Songer 34bc4c5faa Create gcp_firewall_rule_modified_or_deleted.yml 2021-08-13 16:50:34 -05:00
Thomas Patzke 5b72cdb3c2 Merge pull request #1839 from SigmaHQ/drl-1.1 
Update LICENSE.Detection.Rules.md
 2021-08-13 23:42:38 +02:00
Thomas Patzke 607724278a Merge pull request #1580 from codyswanson4:master 
Update Elasticsearch Watcher backend to populate name column in Kibana
 2021-08-13 23:33:47 +02:00
Thomas Patzke f9c9f73b09 Merge pull request #1772 from eocete-devo:master 
[Devo backend] Added support for multicondition rules using Devo subqueries
 2021-08-13 23:30:04 +02:00
Thomas Patzke 32400e5d55 Merge pull request #1785 from theoguidoux:theoguidoux/sql-backend-field-selection 
Add fields selection to sql backend option
 2021-08-13 23:29:24 +02:00
Thomas Patzke 62a53ca895 Merge pull request #1835 from wietze:fix/mdatp/linux_support 
Enabling Linux/macOS support on MDATP
 2021-08-13 23:28:06 +02:00
frack113 1adfc204fd Merge pull request #1838 from frack113/cloud 
tidy up cloud directory
 2021-08-13 19:47:48 +02:00
Max Altgelt ce326cb903 fix: Correct broken rules, add documentation 2021-08-13 15:46:30 +02:00
frack113 50f02ed957 move microsoft365 rules 2021-08-13 15:45:28 +02:00
frack113 4c59ee83d5 move gcp rules 2021-08-13 15:43:46 +02:00
frack113 1a1221d71c move azure rules 2021-08-13 15:42:54 +02:00
frack113 c0aa9696dd move aws rules 2021-08-13 15:40:03 +02:00
phantinuss 246ba0c17f generalise amsi bypass rule to CobaltStrike BOF injection pattern 
generalise to CobaltStrike BOF injection pattern
 2021-08-13 15:34:01 +02:00
frack113 1b480f2ee6 Merge pull request #1819 from frack113/split_1802_builtin 
Correct lists with only 1 value
 2021-08-13 12:43:26 +02:00
frack113 5e42187062 remove change for Message rule 2021-08-13 11:01:33 +02:00
Max Altgelt e1ef8f4055 fix: Rewrite another message rule 
Rewrites another message rule. This one is a bit more complex
since a bitmap is used and the string representation is not
available.
 2021-08-13 10:28:34 +02:00
frack113 abcaf00aee Merge pull request #1818 from frack113/split_1802_net 
Correct lists with only 1 value
 2021-08-13 10:17:24 +02:00
frack113 f9ac934a57 Merge pull request #1816 from frack113/split_1802_a 
Correct lists with only 1 value
 2021-08-13 10:05:32 +02:00
Thomas Patzke e2fbe06585 Merge pull request #1833 from wagga40/master 
Add an option to enhance the default output by choosing more fields + JSON/YAML
 2021-08-13 07:50:57 +02:00
Wagga 4d53e4b040 Merge branch 'master' into master 2021-08-12 22:49:11 +02:00
Thomas Patzke 1b215e3aaf Merge pull request #1828 from wietze/optimisation/nesting_reduction 
Optimising lists/subexpressions with only one item
 2021-08-12 22:41:17 +02:00
Thomas Patzke 8694afe023 Merge pull request #1779 from frack113/elastalert 
Fix elastalert multi output file
 2021-08-12 22:40:36 +02:00
frack113 62e541ec7f Merge pull request #1784 from frack113/winlogbeat-modules-enabled 
Update Mapping Winlogbeat modules enabled
 2021-08-12 19:14:17 +02:00
Wietze 17595e2443 Enabling Linux/macOS support on MDATP, fixing incorrect parent cmd mappings 2021-08-12 18:07:13 +01:00
Max Altgelt 6f05e33feb fix: Correct incorrect message / keyword usage 
Correct a number of rules where message or keyword were incorrectly used
as field names in events (typically windows event logs). However, neither
field actually exists and as such these strings could never match.
 2021-08-12 16:28:07 +02:00
wagga40 13a3e78184 Fix options : removed "raw" 2021-08-12 15:54:02 +02:00
wagga40 cbb03db2dd Fix the way YAML is dumped 2021-08-12 15:28:45 +02:00
wagga40 c165783fff Add an option to enhance default output by choosing fields 
Add an option to output in JSON or YAML
 2021-08-12 15:26:46 +02:00
Florian Roth 62c9468180 Merge pull request #1832 from SigmaHQ/rule-devel 
Whoami Refactoring
 2021-08-12 14:28:28 +02:00
Florian Roth d9d543e545 refactor: removed OriginalFileName from rule to improve compatibilty 2021-08-12 13:28:24 +02:00
Florian Roth 34d70de084 rule: whoami anomalies 2021-08-12 13:28:00 +02:00
Florian Roth bd0a2a1b9f rule: renamed whoami 2021-08-12 13:27:51 +02:00
Florian Roth 80e686994c Merge pull request #1824 from frack113/add_list_test_warning 
Sigma Schema add new Attribute and test
 2021-08-12 12:18:29 +02:00
Florian Roth 418a0bbf7e Merge pull request #1827 from phantinuss/master 
2 new rules (Little Corporal Maldoc and keyword generic version of "ProxyShell MSExchange MailBox Export Pattern")
 2021-08-12 11:41:50 +02:00
Florian Roth 6ed62b431e Merge pull request #1830 from SigmaHQ/rule-devel 
SystemNightmare and Typo
 2021-08-12 11:41:16 +02:00
Florian Roth 852d7a8b22 fix: typo in description 2021-08-12 10:11:17 +02:00
Florian Roth 08883c8e32 refactor: removed old rule that uses Message field 
Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible.

We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)
 2021-08-12 09:27:50 +02:00