Commit Graph

832 Commits

Author SHA1 Message Date
Thomas Patzke
1bb0963784 Moved set_size option to class where it's used 2020-12-30 22:25:57 +01:00
Thomas Patzke
ac55c7fdd4 Merge branch 'elasticsearch_backend' of https://github.com/WuerthIT/sigma into pr-1308 2020-12-30 22:18:13 +01:00
maravedi
fa6f75f07e
Update sumologic.yml
The commit from vihreb on October 6, 2020 (51df5ad876) removed some items from the allowed fields list for the sumologic backend (51df5ad876/tools/sigma/backends/sumologic.py (L161)) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
2020-12-28 16:46:32 -05:00
k-vdv
7e6f01f611 elasticsearch backend: new parameter and fields support 2020-12-14 16:07:09 +01:00
Florian Roth
d1f7a206b9
Merge pull request #1289 from weslambert/master
Fix typo
2020-12-13 19:04:07 +01:00
Simon
97fcae56fd
Update sigmac.py 2020-12-06 20:08:00 +01:00
Simon
4a4d3e1d35
Update sigmac.py 2020-12-04 18:22:24 +01:00
Simon Hilchenbach
a40ef7360d
Add sigmac flag to delimit results by NUL instead of \n 2020-12-04 18:05:23 +01:00
Thomas Patzke
578d2f0585
Merge pull request #1283 from 404d/mdatp-fixes
mdatp: Mapping and generic event changes, case insensitive search
2020-11-29 21:56:17 +01:00
findthebad
ad899899ab Updated winlogbeat.yml config to include OriginalFileName 2020-11-26 14:48:14 -05:00
Helge Aksdal
3a7c114ca3 Fix field mapping for DestinationHostname 2020-11-26 04:17:28 +01:00
Thomas Patzke
0ed54a6cae
Merge pull request #1290 from arollyson/helix_backend
Backend: FireEye Helix
2020-11-21 00:06:19 +01:00
Alek Rollyson
83b8af6cd2 Add FirEye Helix backend 2020-11-19 11:18:28 -05:00
weslambert
832e582b8d
Fix typo 2020-11-17 17:44:40 -05:00
Florian Roth
9944c0e563 Merge branch 'master' into pr/1267 2020-11-17 14:33:55 +01:00
Florian Roth
c5c6557ca2
Merge pull request #1256 from vastlimits/master
Backend: uberAgent ESA converter backend
2020-11-17 14:29:01 +01:00
heyibrahimkhan@gmail.com
eed4fe04d5 added role name field to ecs-cloudtrail. 2020-11-13 05:59:55 +05:00
Simen Lybekk
c0a7cdc3de mdatp: Use case-insensitive searches by default
This sohuld match the draft Sigma specification as well as other backends
2020-11-12 14:09:30 +01:00
Simen Lybekk
a75d4fb561 mdatp: Add more field mappings and table<->generic event mappings, skip IMPHASH as it's not supported 2020-11-12 13:15:38 +01:00
Sven Scharmentke
446b0b7f9d Merge branch 'master_origin' 2020-11-11 12:32:53 +01:00
Sven Scharmentke
a58d04e4df Rules: Support image_load 2020-11-11 12:31:55 +01:00
Thomas Patzke
43b9b17767
Merge pull request #1281 from andurin/kibana-ndjson-configs
kibana-ndjson for all configs which already have kibana
2020-11-11 07:34:37 +01:00
Florian Roth
230562bdf6
Merge pull request #1278 from K-Yo/update-navigator-v4
Update navigator v4
2020-11-10 13:34:46 +01:00
Florian Roth
c087e39698
Merge pull request #1277 from K-Yo/fix-unicode-error
Fix unicode error in sigma2attack
2020-11-10 13:34:05 +01:00
Hendrik
7e742cc049 kibana-ndjson for all configs which already have kibana 2020-11-09 08:46:17 +01:00
Hendrik
96e90fbff2 Fix recursion of rules 2020-11-06 12:43:52 +01:00
Olivier Caillault
34f24a60a1 Updating attack navigator version to v4.0 2020-11-05 23:37:01 +01:00
Hendrik
bf5d40eec3 New Backend - Kibana NDJSON
Tested against 7.9.3
2020-11-05 23:34:25 +01:00
Olivier Caillault
31639366cd Fix unicode error in sigma2attack 2020-11-05 22:30:12 +01:00
Jonhnathan
90e211bad8
Create ecs-suricata.yml 2020-11-01 21:21:04 -03:00
Thomas Patzke
f0e89b0c8c Fixed: typecheck in sumologig-cse 2020-10-23 19:49:55 +02:00
Thomas Patzke
2fb7dd5e99 Fixes
* Removed Splunk regex query
* Added test for sumologic-cse backend
2020-10-23 15:31:00 +02:00
Thomas Patzke
9dc806448c Merge branch 'master' of https://github.com/socprime/sigma into pr-1049 2020-10-23 14:57:25 +02:00
vh
383823f49a Fix: added default value of current_table 2020-10-21 10:12:17 +03:00
Sven Scharmentke
ca852eca0e PR Review: Minor fixes 2020-10-21 08:54:50 +02:00
vh
f45e45d736 Fix: Import SigmaRegularExpressionModifier in the splunk backend. 2020-10-20 18:13:53 +03:00
Sven Scharmentke
03ad9e22e1 Backend: uberAgent ESA converter backend
This commit adds the first version of the uberAgent ESA converter backend for sigma. This backend generates ESA compatible query rules for uberAgent ESA Activity Monitoring.
2020-10-20 13:23:05 +02:00
Thomas Patzke
976fc92b22
Merge pull request #971 from alan8trend/parse_nested_parentheses
Add support nested parentheses for Sigma condition
2020-10-12 23:30:36 +02:00
Thomas Patzke
e8cdd4777a
Merge pull request #1026 from ryanplasma/fix-pymisp-error
Fix error with pymisp in sigma2misp
2020-10-12 23:14:13 +02:00
vh
51df5ad876 Added:
Sumo Logic CSE Rule Backend

Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
2020-10-06 15:07:52 +03:00
Florian Roth
d3ee1aba66 docs: MITRE ATT&CK(R) trademark references removed or adjusted
https://github.com/Neo23x0/sigma/issues/1028
2020-09-30 08:53:52 +02:00
Ryan Plas
cdbee4b531 Fix error with pymisp in sigma2misp 2020-09-29 12:01:33 -04:00
Thomas Patzke
378d9c94cf Merge branch 'master' of https://github.com/socprime/sigma into pr-981 2020-09-15 12:14:49 +02:00
snake-jump
5119f887c8
add Regular expression support
Add Regular expression support for netwitness-epl backend
2020-09-14 22:04:47 +02:00
snake-jump
531557465c
delete raise exception in case of sigma key is keyword(s) 2020-09-14 16:00:03 +02:00
snake-jump
09f25cf992 delete sqlparse module usage 2020-09-10 19:05:55 +02:00
snake-jump
e74846b767 modify comment 2020-09-10 18:09:15 +02:00
snake-jump
64035fd799 initial commit for Netwitness-EPL backend 2020-09-10 17:12:12 +02:00
vh
a2fec9f3b9 Fix sysmon backend 2020-08-28 12:26:40 +03:00
Thomas Patzke
bae09e9447 Sigmatools release 0.18.1 2020-08-26 00:06:25 +02:00