1540241106
Merge branch 'master' of https://github.com/Neo23x0/sigma
2020-11-17 14:29:42 +01:00
88e3de816d
docs: uberAgent ESA target in README
2020-11-17 14:29:36 +01:00
c5c6557ca2
Merge pull request #1256 from vastlimits/master
...
Backend: uberAgent ESA converter backend
2020-11-17 14:29:01 +01:00
94540ea0b6
Merge pull request #1284 from heyibrahimkhan/master
...
added role name field to ecs-cloudtrail.
2020-11-17 14:24:40 +01:00
199a897f75
Fix rule indent
2020-11-17 10:12:55 +01:00
304a411910
Merge branch 'service-scanning' of github.com:/alejandroortuno/sigma into service-scanning
2020-11-17 10:00:52 +01:00
7860bda5d6
Removed ES query tests
2020-11-17 09:49:03 +01:00
3d206b08d8
[OSCD] Added a rule to detect potential persistence using registry keys
2020-11-15 19:04:12 -05:00
2939b33ab5
Update lnx_network_service_scanning.yml
2020-11-16 01:00:09 +01:00
edc416a1d8
Update lnx_system_info_discovery.yml
2020-11-14 19:24:23 +03:00
821bdf8ab4
Update lnx_install_root_certificate.yml
2020-11-14 19:19:28 +03:00
19eb8306d3
Removed unnessary antifalse positive
2020-11-14 09:50:29 +04:00
eed4fe04d5
added role name field to ecs-cloudtrail.
2020-11-13 05:59:55 +05:00
c0a7cdc3de
mdatp: Use case-insensitive searches by default
...
This sohuld match the draft Sigma specification as well as other backends
2020-11-12 14:09:30 +01:00
a75d4fb561
mdatp: Add more field mappings and table<->generic event mappings, skip IMPHASH as it's not supported
2020-11-12 13:15:38 +01:00
446b0b7f9d
Merge branch 'master_origin'
2020-11-11 12:32:53 +01:00
a58d04e4df
Rules: Support image_load
2020-11-11 12:31:55 +01:00
43b9b17767
Merge pull request #1281 from andurin/kibana-ndjson-configs
...
kibana-ndjson for all configs which already have kibana
2020-11-11 07:34:37 +01:00
19cad11a4a
Update lnx_system_info_discovery.yml
2020-11-10 20:11:49 +03:00
ab959394ab
Update lnx_install_root_certificate.yml
2020-11-10 20:09:46 +03:00
f41accab33
Update lnx_install_root_certificate.yml
2020-11-10 20:09:03 +03:00
d4d694b4da
Logic fix for sysmon_non_priv_program_files_move
2020-11-10 10:01:47 -05:00
af4d546408
Merge pull request #1282 from Neo23x0/rule-devel
...
fix: FPs with notepad++ GUP rule
2020-11-10 13:39:28 +01:00
2e9d7951a6
Merge pull request #1272 from bczyz1/patch-2
...
Fix typo in win_apt_lazarus_session_hijack.yml
2020-11-10 13:35:08 +01:00
230562bdf6
Merge pull request #1278 from K-Yo/update-navigator-v4
...
Update navigator v4
2020-11-10 13:34:46 +01:00
c087e39698
Merge pull request #1277 from K-Yo/fix-unicode-error
...
Fix unicode error in sigma2attack
2020-11-10 13:34:05 +01:00
f6c0fb2d33
fix: FPs with notepad++ GUP rule
2020-11-09 16:34:12 +01:00
ad031d97ee
Filter out listening mode on nc
2020-11-09 10:32:56 +01:00
7e742cc049
kibana-ndjson for all configs which already have kibana
2020-11-09 08:46:17 +01:00
577165b7f7
Update lnx_system_info_discovery.yml
2020-11-08 11:09:27 +03:00
0e4a5baf1a
Update lnx_install_root_certificate.yml
2020-11-08 11:08:30 +03:00
499a8f85b0
Update lnx_install_root_certificate.yml
2020-11-08 11:06:11 +03:00
5dc3472af0
Update lnx_system_info_discovery.yml
2020-11-07 11:51:53 +03:00
89a24d4bfa
Update lnx_install_root_certificate.yml
2020-11-07 11:50:30 +03:00
c17e8574d0
change the syntax a bit and removed .service suffix as it is
...
[redundant](https://www.freedesktop.org/software/systemd/man/systemctl.html ]:
```
Unit commands listed above take either a single unit name (designated as UNIT), or multiple unit specifications (designated as PATTERN…). In the first case, the unit name with or without a suffix must be given. If the suffix is not specified (unit name is "abbreviated"), systemctl will append a suitable suffix, ".service" by default, and a type-specific suffix in case of commands which operate only on specific unit types. For example,
# systemctl start sshd
and
# systemctl start sshd.service
are equivalent
```
2020-11-06 20:56:08 +01:00
485457ee55
Merge pull request #1280 from andurin/kibana-ndjson
...
Elasticsearch Kibana ndjson backend
2020-11-06 13:44:00 +01:00
96e90fbff2
Fix recursion of rules
2020-11-06 12:43:52 +01:00
7c5067ade4
Making it a global rule
2020-11-06 10:25:59 +01:00
a9a90e024c
make it global rule
2020-11-06 09:56:49 +01:00
34f24a60a1
Updating attack navigator version to v4.0
2020-11-05 23:37:01 +01:00
bf5d40eec3
New Backend - Kibana NDJSON
...
Tested against 7.9.3
2020-11-05 23:34:25 +01:00
c17c1fa96b
Merge pull request #1 from K-Yo/fix-unicode-error
...
Fix unicode error in sigma2attack
2020-11-05 22:39:54 +01:00
31639366cd
Fix unicode error in sigma2attack
2020-11-05 22:30:12 +01:00
6dfeb6a63b
Merge pull request #1276 from Neo23x0/rule-devel
...
rule: FPs with WmiPrvSE rule
2020-11-05 17:04:25 +01:00
c3785d6dc7
rule: FPs with WmiPrvSE rule
2020-11-05 16:44:33 +01:00
c554aaea8f
update win_apt_slingshot.yml
...
- optimized rule
- added detection of task modification (flag /change + /disable as described here https://stackoverflow.com/questions/26169582/does-anyone-know-of-a-way-to-turn-off-windows-defragmenters-default-schedule-us )
2020-11-05 15:51:22 +01:00
efc3f298b8
simplify syntax
2020-11-04 23:03:34 +01:00
2f789c45dc
change a syntax a bit to re-run the tests
2020-11-04 22:30:27 +01:00
784150b66c
Merge pull request #1273 from Neo23x0/rule-devel
...
rule: added second expression
2020-11-04 17:09:47 +01:00
908023fa66
rule: added second expression
2020-11-04 16:43:35 +01:00
Florian Roth