security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9,404 Commits 1 Branch 57 Tags
ffc87968cfac542689aee001fc2fd39deefe67f8
Commit Graph

530 Commits

Author SHA1 Message Date
frack113 87b2f45db6 Merge pull request #2401 from hazedav/master 
feat(sigma): Add support for Lacework agent data
 2021-12-10 18:04:07 +01:00
Tim Shelton d58bf20e4c fixing err where regex is mangled and should be left alone 2021-12-09 20:43:58 +00:00
David Hazekamp 5d46d5fe46 Merge remote-tracking branch 'upstream/master' 2021-12-07 11:17:32 -06:00
hazedav 73f69c6697 feat(sigma): Add support for Lacework agent data 
Support linux.file_create
Support linux.process_creation
 2021-12-07 11:16:26 -06:00
Tim Shelton 76a3dda786 fixes error when implementing regex type, data should not be escaped 2021-12-06 20:22:14 +00:00
Tim Shelton 48f592fc41 reducing scores for informational levels and adding field translation for user 2021-12-01 17:25:23 +00:00
Tim Shelton e0e3e42c77 adding fix to begins/ends with feature 2021-12-01 16:39:25 +00:00
Tim Shelton 621f629390 adds support for begins and ends with 2021-12-01 16:10:13 +00:00
Tim Shelton df315f5e08 enforcing snake case per hawk-analyticsd specs 2021-12-01 15:51:22 +00:00
Tim Shelton caf47a9e3d reducing score minus 5 for lows... will need a multitude 2021-12-01 14:33:28 +00:00
Tim Shelton 6927b0e69f Fixing added backslashes that are generated by sigma backend 2021-12-01 13:29:15 +00:00
Tim Shelton ad75a9a5bf updating hawk backend to provide additional tag enrichment. helps manage the state of each sigma rule, if experimental or not 2021-11-23 16:57:43 +00:00
redsand (Tim Shelton) bc334ab456 Hawk backend support for wildcard in middle of string (#2273) 
* updating yaml cfg for ms eventlog support

* update config and sigma backend, so that comments are not replaced, but rather the details of the record

* updating scriptblocktext to value

* adding a few missing ip address translations

* Fixing error when handling comparisons of null values, and additional fix of lack of support for not

* adding additional translations for missing category entries

* fixing error when handling list of ors with a not indicator

* finishes support for windows translations, pending qa

* adding dedupe feature and additional translation fix for dns-server

* adding image_loaded translation

* forced to pull back on the aggressive deduping, caused some inaccuracies

* adding more ux friendly formatting for regex

* adds support for wildcards in middle of strings

* adding a missing null check for supporting null matching

* adding cisco, av, and django cfg in yaml. updated apache in yaml and added another translation for ip_dport
 2021-11-18 06:29:41 +01:00
Sven Scharmentke c09b1861ec Merge branch 'SigmaHQ:master' into feature/uberagent-compat-6.2 2021-11-17 16:30:05 +01:00
wagga40 a8d00385c3 Fix double quotes escaping and values with commas in SQLite/SQL backends 2021-11-11 20:55:01 +01:00
redsand (Tim Shelton) a9b49679d3 Updates to hawk sigmac backend (#2244) 
Updated HAWK sigma backend
 2021-11-11 08:01:53 +01:00
ZikyHD 510da0085e Update sysmon.py (#2234) 
Update sysmon.py  and merge from master
 2021-11-10 20:43:13 +01:00
Sven Scharmentke 075419da38 Initial commit of pending changes providing uberAgent 6.2 compatibilitz. 2021-11-09 03:38:12 +01:00
frack113 7f087797d6 Merge pull request #2175 from frack113/elastic_is_bad_in_regex 
manage start end regex for Elastic
 2021-11-05 12:27:18 +01:00
Jordi Schoots 23ed626287 Change location value=str(value) 2021-11-01 16:05:34 +01:00
Jordi Schoots 9d0123e782 Fix errors introduced at commit 58d9e41 2021-11-01 12:40:41 +01:00
Tim Shelton 7fc2a6f00d missed one 2021-10-26 15:25:11 +00:00
Tim Shelton 0d65dcdc28 fixx err 2021-10-26 15:12:03 +00:00
Tim Shelton 22b64644ef updating hawk backend to fix open ended backslash for regex 2021-10-26 15:09:47 +00:00
Tim Shelton bacdf53236 updating hawk backend to fix or list map missing an outer and operator 2021-10-26 15:05:27 +00:00
frack113 bb758bdb0f manage start end regex 2021-10-20 21:20:04 +02:00
Tim Shelton e97fa8fc75 merging from upstream 2021-10-19 02:37:53 +00:00
Tim Shelton d5498eecbf updating hawk backend, still pending aggregation support 2021-10-19 02:35:45 +00:00
Tim Shelton 16a78187bd updating hawk json format record 2021-10-18 21:39:49 +00:00
Tim Shelton 6e35c031de Add additional information to the analytic record, including tags, author info, rule id and references 2021-10-18 21:39:49 +00:00
Tim Shelton f2d9cf0964 Initial commmit of hawk analytic score generator 2021-10-18 21:39:49 +00:00
Tim Shelton ae2923bdd8 Initial commmit of hawk analytic score generator 2021-10-18 21:39:49 +00:00
Tim Shelton b30abd5c12 updating hawk json format record 2021-10-18 21:34:48 +00:00
Wagga 17d78a5c4c Fix a missing var reset in SQLite backend 2021-10-17 16:21:59 +02:00
Thomas Patzke 76c02a14b2 Merge pull request #1558 from maketsi/splunk-search-ext 
Added ability to define free-text searches in the logsource mapping
 2021-10-16 20:49:14 +02:00
Thomas Patzke 9d8828a0ed Merge pull request #1696 from denny-lclin/lclin/fix-ada-wildcard 
Fix [ALA] Convesion of wildcard not as expected for ada backend #1689
 2021-10-16 20:46:23 +02:00
Thomas Patzke f3c01a3f65 Merge pull request #1948 from zazzzSec/fix_cb_paths 
fixing cb path wildcards that don't work
 2021-10-16 20:44:14 +02:00
Thomas Patzke 4806a88427 Merge pull request #2029 from marcurdy/master 
Correct for proper output to Splunk and CarbonBlack. Add AWS Athena c…
 2021-10-16 20:37:59 +02:00
Thomas Patzke e6881e41a6 Merge pull request #2090 from roysjosh/ala-near 
Implement "near" support for ALA/Sentinel
 2021-10-16 20:34:32 +02:00
Tim Shelton 6d6a57a3b4 Add additional information to the analytic record, including tags, author info, rule id and references 2021-10-14 15:05:05 +00:00
Tim Shelton 1a9f106d34 Initial commmit of hawk analytic score generator 2021-10-14 14:17:03 +00:00
Tim Shelton 1f5d9d8adc Initial commmit of hawk analytic score generator 2021-10-13 14:36:49 +00:00
albchen 62025971c7 Add generateAggregation 
Adds aggregation function for rules such as win_multiple_suspicious_cli.yml or win_dnscat2_powershell_implementation.yml. Modeled after splunk.py backend, converted to use MDE's count() and dcount() instead of Splunk's count() and dc(). Requires a valid config for converting aggfields and groupfields.
 2021-10-03 17:37:05 -07:00
frack113 94bff8e5ea Merge pull request #2108 from hazedav/master 
fix(backend): add remediation for lacework policy
 2021-09-30 17:38:38 +02:00
hazedav 67818f125a fix(backend): add remediation for lacework policy 2021-09-30 09:27:18 -05:00
Joshua Roys 0f3b169c45 Implement "near" support for ALA/Sentinel 2021-09-27 15:01:32 -04:00
frack113 bcdf164b4c fix space 2021-09-27 19:17:14 +02:00
frack113 a0b48b96d4 Fix 'NoneType' object has no attribute 'lower' 2021-09-27 18:49:58 +02:00
Maxime Lamothe-Brassard 314fa5aaa5 Add validation for logical sub operators. 2021-09-14 18:00:09 -07:00
Thomas Patzke c7ecf6da65 Merge pull request #2009 from Preston-Young/master 
Added New OpenSearch Monitor Backend
 2021-09-13 23:07:35 +02:00