security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,892 Commits 1 Branch 57 Tags
fefb8564717d69af72ededb4172bc7ec00aac734
Commit Graph

7892 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan 085218b25a Update Threat Hunter Playbook Reference 2021-05-22 00:57:01 -03:00
Jonhnathan 3fb5f1c47e Update Threat Hunter Playbook Reference 2021-05-22 00:56:32 -03:00
Jonhnathan 943e2c8c88 Update Threat Hunter Playbook Reference 2021-05-22 00:56:03 -03:00
Jonhnathan 9765fcbd0c Update Threat Hunter Playbook Reference 2021-05-22 00:55:29 -03:00
Jonhnathan e23147111b Update Threat Hunter Playbook Reference 2021-05-22 00:54:57 -03:00
frack113 8a8f003d15 add lastday filter to get only the rule update or create in the last N days 
lastday=0 is all :)
 2021-05-21 19:31:06 +02:00
frack113 dec9e68876 Fix falsepositives list 2021-05-21 12:38:44 +02:00
frack113 1e2f7c7abf Fix falsepositives list 2021-05-21 12:35:37 +02:00
frack113 0a588a1ecc Fix falsepositives list 2021-05-21 12:33:50 +02:00
frack113 168d5c9dff Fix falsepositives list 2021-05-21 12:32:24 +02:00
frack113 1d1170e8ba Fix falsepositives list 2021-05-21 12:31:01 +02:00
frack113 a6cadc6de5 Fix falsepositives list 2021-05-21 12:29:28 +02:00
frack113 ad376a8328 Fix falsepositives list 2021-05-21 12:28:12 +02:00
frack113 2197514fc5 Fix falsepositives list 2021-05-21 12:26:37 +02:00
frack113 48a7e80192 Fix falsepositives list 2021-05-21 12:24:25 +02:00
frack113 6630ec7c41 Fix falsepositives list 2021-05-21 12:23:09 +02:00
frack113 a9e85ca58e Fix falsepositives list 2021-05-21 12:22:36 +02:00
frack113 f4be70aa9e Fix falsepositives list 2021-05-21 12:19:17 +02:00
frack113 f312663820 Fix falsepositives list 2021-05-21 11:29:17 +02:00
frack113 6878bfade9 Fix falsepositives list 2021-05-21 11:17:36 +02:00
frack113 cabaccceb8 Fix falsepositives list 2021-05-21 11:15:10 +02:00
frack113 45190c3874 Fix falsepositives list 2021-05-21 11:13:27 +02:00
frack113 dfe7e4e38c Fix falsepositives list 2021-05-21 11:12:04 +02:00
Florian Roth a0efd7a4dc Merge pull request #1494 from Karneades/patch-1 
Add keyword WinRM to remote powershell rules
 2021-05-21 10:35:18 +02:00
Andreas Hunkeler e58c59dcfd Update modified field in WinRM rule 2021-05-21 09:29:11 +02:00
Andreas Hunkeler d8ec5fa6af Add modified field in WinRM rule 2021-05-21 09:28:45 +02:00
frack113 42dad6cd9f Merge branch 'SigmaHQ:master' into es_rule_uuid 2021-05-21 09:28:11 +02:00
Florian Roth a30391f3b4 Merge pull request #1495 from SigmaHQ/rule-devel 
rule refactoring: Cobalt Strike service start
 2021-05-20 17:43:29 +02:00
Florian Roth a34949c7fb Merge pull request #1493 from Karneades/WinRM 
rule: add rule to detect shell spawn from WinRM host process
 2021-05-20 17:35:06 +02:00
Andreas Hunkeler 93241e7fc6 Add keyword WinRM to remote powershell process rule 2021-05-20 17:03:32 +02:00
Andreas Hunkeler b46f65965d Add keyword WinRM to remote powershell network rule 2021-05-20 17:02:17 +02:00
Andreas Hunkeler 3763e54b99 Add keyword WinRM to remote powershell process rule 2021-05-20 17:00:25 +02:00
Andreas Hunkeler 226a666827 rule: add rule to detect shell spawn from WinRM host process 2021-05-20 16:05:13 +02:00
frack113 b92b765f9a Fix import to kibana error 400 severity is invalid. 2021-05-20 13:14:43 +02:00
frack113 cbb81cdf86 Fix import to kibana error 400 rish_score is null. 
rish_score is a integer.
If level is invalid set to medium
 2021-05-20 12:32:19 +02:00
frack113 f0974e9cf3 Fix : **false_positives** must be a array. 
If null add "Unknown".
If it is a string convert to a simple array row
 2021-05-20 11:20:38 +02:00
Florian Roth ebac8a098f rule refactoring: Cobalt Strike service start 2021-05-20 10:05:12 +02:00
frack113 76523c5dbf fix [#1486](https://github.com/SigmaHQ/sigma/issues/1486). 
rule_id is always an uuid now.
For the rule-collection with only one uuid :
- first detection get the uuid
- other detection get a new uuid

it is a palliative, because the secondary uuid are not kept between 2 launches.
best practice is to use one uuid per detection and not files.
 2021-05-20 08:42:58 +02:00
Jonhnathan 1cf7bb5735 Add Hex equivalent of WriteData 2021-05-19 10:27:20 -03:00
Florian Roth 18bbb2a342 Merge pull request #1490 from frack113/ElasticSearchRuleBackend 
FIx ElasticSearchRuleBackend to use uuid instead of title for the rule id
 2021-05-18 20:01:25 +02:00
Sven Scharmentke a36bc55b06 Updated uberAgent backend to support version 6.1. 2021-05-18 12:07:09 +02:00
frack113 3b23c18f70 If not null use uuid instead of title for the rule id 2021-05-17 22:12:17 +02:00
Darin Smith e921181f4b Add AWS snapshot exfiltration rule 2021-05-17 13:00:01 -07:00
V1D1AN 56e3a6aaf3 Update ecs-zeek-elastic-beats-implementation.yml 2021-05-16 22:53:25 +02:00
SomeOne e46ae5a28c Add filter on sdiagnhost.exe in Suspicious In-Memory Module Execution rule 2021-05-16 16:03:33 +02:00
SomeOne a93acbbe03 Exclude dism.exe 2021-05-16 15:23:31 +02:00
SomeOne 53b21d1afe Add Sysmon EventID 11, 17 and 18 to win_tool_psexec rule 2021-05-16 15:03:58 +02:00
SomeOne a788cd43ee Add Windows Defender on WL 2021-05-16 14:10:33 +02:00
Florian Roth 5a3af872d8 Merge pull request #1479 from SigmaHQ/rule-devel 
Rule devel, Trademark test
 2021-05-15 13:42:34 +02:00
Florian Roth 9b32e72d0b fix: syntax issue 2021-05-15 13:19:12 +02:00