db97b29e35
addding missing entry
2021-12-14 21:52:57 +00:00
2a96f239a5
adding additional translation fields for web based requests.
2021-12-14 20:54:32 +00:00
baa5d3758d
Merge branch 'master' into rule-devel
2021-12-13 18:05:17 +01:00
51a4315ab9
fix: referrer > referer adjustments
2021-12-13 15:47:43 +01:00
b4553dcd9d
feat: Add finer powershell log source distinguation
...
Credits for this go to @frack113
2021-12-13 09:49:28 +01:00
d1b7eda60c
adding translation for User, apparently its case sensitive
2021-12-09 20:04:20 +00:00
3b7ce140c1
adding ps_module to config.. currently not listed in any config yaml for backends, will trigger regex detection on all payloads
2021-12-07 16:18:00 +00:00
1937a90cbf
fixing yaml err
2021-12-06 23:03:24 +00:00
7a7cf4ede6
fix str err
2021-12-06 22:32:10 +00:00
8871898adf
fixing yaml fail
2021-12-06 22:05:13 +00:00
ea511bd761
adding file event filter
2021-12-06 20:50:20 +00:00
a38f98a3be
adding translation of provider_name to channel
2021-12-02 20:35:25 +00:00
48f592fc41
reducing scores for informational levels and adding field translation for user
2021-12-01 17:25:23 +00:00
b3a9e05a59
Merge branch 'master' of https://github.com/redsand/sigma into hawk_webserver_category
2021-12-01 14:26:35 +00:00
00560f3162
Add zircolite config
2021-11-30 19:10:14 +01:00
790755e753
adding webserver as filter for sigma config
2021-11-30 16:33:54 +00:00
fff12a3461
adding antivirus filter for vendor_type.. was matching against our fim data
2021-11-23 18:14:51 +00:00
bc334ab456
Hawk backend support for wildcard in middle of string ( #2273 )
...
* updating yaml cfg for ms eventlog support
* update config and sigma backend, so that comments are not replaced, but rather the details of the record
* updating scriptblocktext to value
* adding a few missing ip address translations
* Fixing error when handling comparisons of null values, and additional fix of lack of support for not
* adding additional translations for missing category entries
* fixing error when handling list of ors with a not indicator
* finishes support for windows translations, pending qa
* adding dedupe feature and additional translation fix for dns-server
* adding image_loaded translation
* forced to pull back on the aggressive deduping, caused some inaccuracies
* adding more ux friendly formatting for regex
* adds support for wildcards in middle of strings
* adding a missing null check for supporting null matching
* adding cisco, av, and django cfg in yaml. updated apache in yaml and added another translation for ip_dport
2021-11-18 06:29:41 +01:00
8b419b8f07
Merge pull request #2247 from frack113/fix_field
...
Fix rule field name
2021-11-11 08:51:52 +01:00
a9b49679d3
Updates to hawk sigmac backend ( #2244 )
...
Updated HAWK sigma backend
2021-11-11 08:01:53 +01:00
b7b1ebf772
Fix LogonId - SubjectLogonId
2021-11-10 19:12:51 +01:00
ee4082b50d
Merge pull request #2242 from frack113/fix_ProcessCommandLine
...
Fix process command line
2021-11-10 08:09:06 +01:00
a089a83794
Merge pull request #2238 from frack113/fix_logsource
...
Fix logsource
2021-11-10 08:08:40 +01:00
ca17949d85
Merge pull request #2237 from frack113/m365
...
standardization m365
2021-11-10 08:08:10 +01:00
c5fa73c328
fix ProcessCommandLine to ParentCommandLine
2021-11-09 16:13:29 +01:00
e1ecd379fa
Update elk-winlogbeat.yml
...
Adding "RelativeTargetName" since it's used by `win_lm_namedpipe.yml`
2021-11-09 13:38:31 +02:00
6c19303aa4
normalize logsource
2021-11-09 10:48:13 +01:00
3430943746
standardization
2021-11-09 07:27:25 +01:00
1015d3fe68
Update winlogbeat-modules-enabled.yml
...
- Fixed typos in FileVersion, Description, Product, and Company fields for image_load category.
- Added separate OriginalFileName fields for process_creation, image_load categories.
2021-10-28 16:05:40 +01:00
781598351d
Add SourceUser and TargetUser
2021-10-27 17:13:34 +02:00
ce5e4c45f1
Add sysmon 13.30 ParentUser
2021-10-27 12:58:10 +02:00
8f22d418f3
fixing lingering item
2021-10-26 16:28:04 +00:00
893874d3a5
removing item with space, and removing duplicate item and fixing target field, thx to frack113
2021-10-26 16:25:50 +00:00
6b5c63e485
Merge branch 'master' of https://github.com/redsand/sigma into HAWK_Backend
2021-10-25 18:39:48 +00:00
963f32063f
Merge pull request #2148 from SigmaHQ/rule-devel
...
First Linux Process Creation and Network Connection rules (Sysmon for Linux)
2021-10-21 19:10:08 +02:00
a47645a084
Modify event.provider to event.module
2021-10-21 08:34:41 +02:00
7500346ce7
Update winlogbeat-modules-enabled.yml
...
updating field mapping
2021-10-20 17:06:55 +03:00
d5498eecbf
updating hawk backend, still pending aggregation support
2021-10-19 02:35:45 +00:00
ae2923bdd8
Initial commmit of hawk analytic score generator
2021-10-18 21:39:49 +00:00
e5b3a1cc14
Merge pull request #2151 from frack113/ps_category
...
Powershell category
2021-10-17 07:15:31 +01:00
7fc6532665
fix yml
2021-10-16 22:49:20 +02:00
76c02a14b2
Merge pull request #1558 from maketsi/splunk-search-ext
...
Added ability to define free-text searches in the logsource mapping
2021-10-16 20:49:14 +02:00
4806a88427
Merge pull request #2029 from marcurdy/master
...
Correct for proper output to Splunk and CarbonBlack. Add AWS Athena c…
2021-10-16 20:37:59 +02:00
6660be9753
config: network connection linux
2021-10-16 14:22:48 +02:00
fc796df654
add references
2021-10-16 08:37:51 +02:00
690b26fb90
change order to chain sysmon
2021-10-16 08:19:25 +02:00
5a144e1864
sysmon for linux - process_creation mapping
2021-10-15 14:46:13 +02:00
81b4a0eb98
feat: adapt logsources for field names without spaces
2021-10-13 14:36:10 +02:00
1099d40473
rename the field 'Provider Name' to 'Provider_Name'
2021-10-13 13:04:11 +02:00
3d8002a237
fix: Use 'Provider Name' for windows eventlog log sources
2021-10-13 11:40:24 +02:00
Tim Shelton