valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,143 Commits 20 Branches 25 Tags 21 MiB
1bb0963784
Commit Graph

832 Commits

Author SHA1 Message Date
bar
8889ae21ca DestinationPort to network-traffic:dst_port mapping fix 2020-07-08 14:31:04 +03:00
bar
50ef79b398 Custom STIX object "x-sigma" for fields that missing mapping, so the pattern is STIX valid 2020-07-08 14:09:26 +03:00
Thomas Patzke
9bcff522b6 Merge branch 'master' of https://github.com/rashimo/sigma into pr-709 2020-07-07 23:12:03 +02:00
bar
acbab2db4b stix backend + mapping configurations for windows logs and qradar 2020-07-07 15:04:16 +03:00
Florian Roth
c8ca55b3e4 fix: duplicate wrong old key 2020-07-06 17:14:59 +02:00
Florian Roth
cc31ed8b84 fix: missing NTLM log source in THOR 2020-07-06 17:07:06 +02:00
Thomas Patzke
939156fa6d Introduced dns_query log source category 2020-07-05 23:29:51 +02:00
Thomas Patzke
0df21289a0 Merge branch 'dns-fixes' of https://github.com/rtkbkish/sigma into pr-893 2020-07-05 23:24:56 +02:00
Thomas Patzke
57cb255208
Merge pull request #864 from cclauss/patch-3 
Fix undefined names in sigma2misp.py
 2020-07-05 23:16:22 +02:00
Brad Kish
8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Florian Roth
6420820eb2
Merge pull request #871 from Christopolos94/master 
Update to mdatp backend
 2020-07-03 11:29:01 +02:00
Thomas Patzke
43e5ae5d24 Added Windows NTLM log source + fixes 2020-07-02 23:20:36 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Chris Brake
6ed1ea6509 Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType 2020-06-30 14:49:29 +01:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Christian Clauss
9dc3940c07
Fix undefined names in sigma2misp.py 
create_new_event() -> create_new_event(args, misp) to fix:

flake8 testing of https://github.com/Neo23x0/sigma on Python 3.8.3

% _flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics_
```
./tools/sigma/sigma2misp.py:11:16: F821 undefined name 'misp'
    if hasattr(misp, "new_event"):
               ^
./tools/sigma/sigma2misp.py:12:16: F821 undefined name 'misp'
        return misp.new_event(info=args.info)["Event"]["id"]
               ^
./tools/sigma/sigma2misp.py:12:36: F821 undefined name 'args'
        return misp.new_event(info=args.info)["Event"]["id"]
                                   ^
./tools/sigma/sigma2misp.py:14:13: F821 undefined name 'misp'
    event = misp.MISPEvent()
            ^
./tools/sigma/sigma2misp.py:15:18: F821 undefined name 'args'
    event.info = args.info
                 ^
./tools/sigma/sigma2misp.py:16:12: F821 undefined name 'misp'
    return misp.add_event(event)["Event"]["id"]
           ^
6     F821 undefined name 'misp'
6
```
 2020-06-28 07:02:41 +02:00
Thomas Patzke
0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00
Thomas Patzke
89ed9f3763
Merge pull request #819 from cclauss/patch-2 
Undefined name: from .exceptions import SigmaCollectionParseError
 2020-06-28 00:37:09 +02:00
Thomas Patzke
09378b5ebf Fixed unsupported attempt to index a set 2020-06-28 00:27:33 +02:00
Thomas Patzke
415f826ece Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop 2020-06-28 00:09:39 +02:00
Thomas Patzke
b1e4f44c21
Merge pull request #823 from Kuermel/master 
Add more Options for XPackWatcherBackend (Elasticsearch)
 2020-06-28 00:03:04 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master 
Split rules based on Sysmon event ID
 2020-06-28 00:00:32 +02:00
Thomas Patzke
de5e453e19
Merge pull request #831 from 404d/cbr-backend-tweaks 
Add parentheses around field list groups in CB
 2020-06-27 23:39:57 +02:00
Florian Roth
da46ff6e93 docs: descriptions for source configs 2020-06-25 13:59:51 +02:00
Florian Roth
825bda397d desc: better descriptions in help for backends and configurations 2020-06-25 13:21:43 +02:00
Florian Roth
07c0a6558e fix: wording on sysmon mapping file 2020-06-24 17:49:42 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Brad Kish
203aa192c7 Fix multiple references to default field mapping in same rule 
If there is a default mapping specified for a fieldmapping and that field is
referenced multiple times in the rule, the default mapping will be "pop"ped
and return the unmapped key on subsequent uses.

Don't pop the value. Just return the first entry.
 2020-06-18 13:01:31 -04:00
Florian Roth
d371fd864c
Merge pull request #834 from ebeahan/elastic-updates 
Elastic section updates
 2020-06-13 10:04:49 +02:00
Thomas Patzke
f907c49ab5 Improved test coverage 
* Added test case
* Removed unused code
 2020-06-13 01:11:08 +02:00
Thomas Patzke
b129556388 Automatic inclusion of all configuration files 2020-06-13 00:04:45 +02:00
Thomas Patzke
80e8f0e5fa Release 0.17.0 2020-06-12 23:52:06 +02:00
Thomas Patzke
24d83b80cd Merge branch 'script_entry_points' 2020-06-12 23:13:11 +02:00
Eric Beahan
bba0b2d851 Elastic documentation improvements 2020-06-12 13:40:39 -05:00
Nate Guagenti
aac1af1832 typo, was missing the = and *. 
also, show option when using case insensitive for everything, how to "exclude" a field from that regex.

Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
 2020-06-12 11:37:32 -04:00
Simen Lybekk
bbcbed4742 Add parentheses about field list groups in CB 
This should address the grouping issue from #660.
The grouping issue was solved by just slamming some parentheses around the fields in the listExpression field.
 2020-06-11 15:33:02 +02:00
Steven Goossens
423baafa2a Added rules for different sysmon categories and added the category definition 2020-06-10 15:02:15 +02:00
Thomas Patzke
915ea1cc67 Merge branch 'script_entry_points' into master 2020-06-10 00:51:47 +02:00
Florian Roth
565febd39d README updated 2020-06-09 23:25:09 +02:00
Nate Guagenti
f4fe425fa7 update readme for some analyzed field and keyword field examples 2020-06-09 16:53:50 -04:00
Thomas G
8c61dc9248
Add more Options for XPackWatcherBackend (Elasticsearch) 
Add action_throttle_period, mail_from adn mail_profile to the XPackWatcherBackend (Elasticsearch)
 2020-06-09 20:57:26 +02:00
Nate Guagenti
117ceac492 moved file to ecs-zeek-elastic-beats-implementation.yml 2020-06-09 08:56:01 -04:00
Christian Clauss
dff7efc173
Update collection.py 2020-06-08 13:55:52 +02:00
Christian Clauss
55c0a03564
Undefined name: from .exceptions import SigmaCollectionParseError 
Discovered in #378.  `SigmaCollectionParseError()` is called on line 55 but it is never defined or imported which means that NameError will be raised instead of SigmaCollectionParseError.
 2020-06-08 13:55:16 +02:00
Florian Roth
94b90adf10 docs: move Sigmac help from Wiki to repo 2020-06-07 12:18:37 +02:00
Thomas Patzke
36a7077648 Moved tool executables to new location 2020-06-07 01:14:04 +02:00
Thomas Patzke
a7d18c7ed9 Converted sigma2attack and added to entry points 2020-06-07 01:03:09 +02:00
Thomas Patzke
8688e8a2a1 Script entrypoint stubs 2020-06-07 00:22:59 +02:00
Thomas Patzke
7d70cd95a4 Deduplicated backend list 2020-06-06 01:03:02 +02:00
Thomas Patzke
fb9855bd3b Added description to es-rule backend 2020-06-06 01:02:44 +02:00
Thomas Patzke
1d211565fc Moved backend options list to --backend-help 2020-06-06 00:56:00 +02:00
Thomas Patzke
c992dc5215 Improved test coverage 2020-06-05 23:33:51 +02:00
Thomas Patzke
5d88d97c73 Merge branch 'improvements/improved_mdatp_mappings' of https://github.com/wietze/sigma into wietze-improvements/improved_mdatp_mappings 2020-06-05 23:03:52 +02:00
Jonas Plum
3a6ac5bd5c Remove unused function 2020-05-30 01:57:06 +02:00
Jonas Plum
70935d26ce Add license header 2020-05-29 23:56:05 +02:00
Jonas Hagg
dedfb65d63 Implemented Aggregation for SQL, Added SQLite FullTextSearch 2020-05-25 11:58:55 +02:00
Thomas Patzke
daf7ab5ff7 Cleanup: removal of corelight_* backends 2020-05-24 22:41:38 +02:00
Thomas Patzke
d45f8e19fe Fixes 2020-05-24 21:46:55 +02:00
Thomas Patzke
32e4998c49 Removed dead code from ALA backend. 2020-05-24 21:45:37 +02:00
Thomas Patzke
24b08bbf30 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 17:06:32 +02:00
Thomas Patzke
8d9b706d6a
Merge pull request #727 from 3CORESec/master 
Override Features
 2020-05-20 19:11:56 +02:00
vh
e8b956f575 Updated config 2020-05-20 12:35:00 +03:00
neu5ron
9e272d37b7 zeek category update and minor field updates 2020-05-19 05:02:45 -04:00
neu5ron
177f0a783b winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00
~noyan
2b72ee7b84 partial(?) fix of #762 2020-05-16 14:51:58 +03:00
Tiago Faria
2893becf8c Merge remote-tracking branch 'upstream/master' 2020-05-14 14:02:20 +01:00
Remco Hofman
37b08543ac Updated author reference in license 2020-05-11 11:47:56 +02:00
vh
fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Remco Hofman
dc96b7ffb3 Removed dependency on slugify 2020-05-08 11:40:16 +02:00
Remco Hofman
c5be83eb01 Added ee-outliers backend 2020-05-08 10:18:35 +02:00
Thomas Patzke
3b96b5e497
Merge pull request #723 from neu5ron/socprime_add_zeek_and_corelight 
sigmacs for Zeek and Corelight(Zeek)
 2020-05-06 23:22:14 +02:00
Remco Hofman
24029a8f27 Fix for broken endswith modifier 2020-05-06 17:10:54 +02:00
pdr9rc
31ad81874f capitalized titles 
corrected capitalization of titles and removed literals from config
 2020-05-05 11:32:18 +01:00
pdr9rc
aa175a7d5b wip 
wip
 2020-05-04 18:02:27 +01:00
pdr9rc
dd9e128a15 kibana target update 
kibana target now compatible with overrides
 2020-05-04 17:35:12 +01:00
pdr9rc
b32093e734 Merge remote-tracking branch 'upstream/master' 
Keeping up with the sigmas.
 2020-05-04 17:26:51 +01:00
pdr9rc
b3194e66c4 Update base.py 2020-05-04 16:37:36 +01:00
Wietze
2b3828730c Reversed disabling FileDelete 2020-05-02 17:31:50 +01:00
Wietze
e5574e07f2 Disabled FileDelete event (Sysmon 11 - no rules available yet) 2020-05-02 16:21:56 +01:00
Wietze
5abf4cbea9 Reordered fields 2020-05-02 14:46:55 +01:00
Wietze
661108903b Minor consistency fix 2020-05-02 14:37:37 +01:00
Wietze
46737cbfd3 Improved Microsoft ATP mapping, using Advanced Hunting Schema 
See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference
 2020-05-02 14:31:02 +01:00
neu5ron
cbe5af01a1 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR.
 2020-05-02 07:23:11 -04:00
Thomas Patzke
2fafff3278 Fixed: escaping of backslashes before added * 
Fixes issue #722.
 2020-05-02 00:13:15 +02:00
pdr9rc
bc0a2c7ab9 wip 
wip
 2020-05-01 19:20:05 +01:00
pdr9rc
98391f985a wip 
wip
 2020-04-30 15:19:38 +01:00
Tiago Faria
dfdb5b9550
better description and event.outcome 2020-04-29 23:59:26 +01:00
pdr9rc
ac4a2b1f26 wip 
wip
 2020-04-29 22:55:46 +01:00
pdr9rc
9ce84a38e5 overrides section support + one example rule + cloudtrail config 
ditto
 2020-04-29 20:36:45 +01:00
alm8i
7ac685882c comments for usage 2020-04-11 15:47:23 +02:00
Danijel Grah
6312f381bf
C# backend 
Converts Sigma rule into C# Regex in LINQ query
 2020-04-10 16:12:05 +02:00
Thomas Patzke
1c5c8047fd Fixes 
* Removed commented debug print statements
* Defined nullExpression
* Removed unneeded generateMapItemNode method
* Value cleaning bug on matching of wildcard at first character
 2020-04-08 23:43:46 +02:00
Thomas Patzke
3277cec7aa Reverted list sorting 
This was already implemented meanwhile in a previous commit.
 2020-04-08 23:23:44 +02:00
Thomas Patzke
cf896c3093 Merge branch 'master' of https://github.com/abhikhnvasara/sigma into pr-630 2020-04-08 23:16:39 +02:00
Thomas Patzke
551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Thomas Patzke
7224af54b2
Merge pull request #664 from j91321/es-rule-options 
es-rule backend options for index-patterns and time interval
 2020-04-08 22:39:45 +02:00
Thomas Patzke
1b7f33f5e2 Fixed undefined value in exception handling 
Fixes issue #702.
 2020-04-08 22:28:47 +02:00
j91321
3470011ac3 Revert time interval, use index values provided by sigmaparser 2020-04-05 20:30:57 +02:00
Thomas Patzke
693830fa83 Merge pull request 659 2020-04-03 23:46:53 +02:00
Maxime Lamothe-Brassard
f92c5e9b18 Remove generation of LC rules with timeframe. 2020-04-02 15:25:30 -07:00
Florian Roth
ee7babd8cb
fix: security vulnerability with pyyaml < 4.2b1 2020-04-02 12:27:53 +02:00
Thomas Patzke
13dbb4cdbd Moved tools into sigma namespace 2020-03-31 23:46:58 +02:00
Florian Roth
6aba430de6 fix: sigma_uuid occurances 2020-03-31 16:29:58 +02:00
Florian Roth
4d67dff89a fix: renamed tools to allow for console_scripts list entries 2020-03-31 14:07:34 +02:00
Florian Roth
18e505c458 fix: list_configurations default values 2020-03-31 12:42:02 +02:00
Florian Roth
c82156a3c9 fix: second list_configurations function params 2020-03-31 11:46:05 +02:00
Florian Roth
23ce69eaae fix: functions parameters outside of main 2020-03-31 11:42:16 +02:00
Florian Roth
bb50571b13 fix: print_verbose scope 2020-03-31 11:35:21 +02:00
Florian Roth
c83b4fd37c fix: fixing script install for Windows end systems 2020-03-31 11:30:47 +02:00
Florian Roth
536ad78fc2 refactor: following best practices reg main functions in Python 
https://realpython.com/python-main-function/
 2020-03-31 11:30:14 +02:00
Thomas Patzke
d33f4b290d Dependency cleanup 
* Consolidated dependencies into main and development (MISP and test
  intergrated).
* Splitted Pipfile dependencies into main and development
* Specified compatible dependencies
 2020-03-29 22:55:09 +02:00
Florian Roth
5f0250bff5
Merge pull request #669 from 0xThiebaut/winlogbeat-rulename 
Add Winlogbeat's RuleName field to mapping
 2020-03-28 13:20:08 +01:00
Thomas Patzke
004eaf0615 Revert "do not escape u" 
This reverts commit aa112cbd44.

This was a fix for a previous bug.
 2020-03-24 23:36:12 +01:00
Thomas Patzke
5ea623506f
Merge pull request #667 from opflep/master 
Upgrade CarbonBlack backend
 2020-03-22 00:24:57 +01:00
Maxime Thiebaut
c5bdd18d8d Add Winlogbeat's RuleName field to mapping 
When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt.

```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
	<Event
		xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
		<System>
			<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
			<EventID>13</EventID>
			<Version>2</Version>
			<Level>4</Level>
			<Task>13</Task>
			<Opcode>0</Opcode>
			<Keywords>0x8000000000000000</Keywords>
			<TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/>
			<EventRecordID>160631</EventRecordID>
			<Correlation/>
			<Execution ProcessID='2156' ThreadID='3628'/>
			<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
			<Computer>win10.sec699-40.lab</Computer>
			<Security UserID='S-1-5-18'/>
		</System>
		<EventData>
			<Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data>
			<Data Name='EventType'>SetValue</Data>
			<Data Name='UtcTime'>2020-03-18 03:52:07.129</Data>
			<Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data>
			<Data Name='ProcessId'>5064</Data>
			<Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data>
			<Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data>
			<Data Name='Details'>Binary Data</Data>
		</EventData>
	</Event>
</Events>
```

When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`.
This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`.

The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed.
 2020-03-19 19:40:18 +01:00
vunx2
be6519e35d merge 2020-03-19 11:07:39 +07:00
vunx2
1025930e04 merge 2020-03-19 11:05:52 +07:00
vunx2
c627f6b381 merge 2020-03-19 11:02:10 +07:00
vunx2
2107d86900 merge 2020-03-19 10:58:30 +07:00
vunx2
0356178c50 eventdict 2020-03-19 10:49:40 +07:00
vunx2
1b12a6b261 modified: tools/sigma/backends/carbonblack.py 2020-03-19 09:00:24 +07:00
neu5ron
aa112cbd44 do not escape u 2020-03-18 08:51:38 -04:00
neu5ron
17318b48bf - fix agg_option keyword 
- remove (now) unnecessary other hardcoded `.keyword` locations
 2020-03-18 08:50:37 -04:00
vunx2
e228d42b97 clean IP subnet 2020-03-18 16:49:44 +07:00
vunx2
1df5620a14 fix cleanValue + leading wildcard + EventID Intergration 2020-03-18 16:02:44 +07:00
j91321
f0c83ae3b4 Added es-rule backend options 2020-03-15 13:03:20 +01:00
neu5ron
58ac26e531 more ECS to sigmac taxonomy for web/proxy 2020-03-14 14:57:38 -04:00
neu5ron
55bf39a2ac keyword, analyzed field, case insensitivity 2020-03-11 11:38:56 -04:00
David Szili
0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00
Abhijit Khinvasara
46bc843e51 sort the list of backends presented in sigmac help 2020-03-04 15:21:28 -08:00
Abhijit Khinvasara
9cb395823c Rework according to review comments. 2020-03-04 14:54:49 -08:00
vunx2
b070ffab74 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-03-03 10:08:31 +07:00
Thomas Patzke
a0f7da8c03 Splunk XML backend rule title 
Fixes #645
 2020-03-01 22:23:35 +01:00
vunx2
58f5fa1b8e change to github 2020-02-28 16:56:48 +07:00
vunx2
139600009b conflict 2020-02-28 16:50:30 +07:00
Thomas Patzke
65444f7a77 Release 0.16.0 2020-02-25 22:19:52 +01:00
Thomas Patzke
5a2ccbd040 Fixed ArcSight backend visibility 2020-02-24 23:27:22 +01:00
Thomas Patzke
5b42135935 Added es-rule backend to all ES configurations 2020-02-24 23:20:48 +01:00
Thomas Patzke
d9b48ea747 Fixes in es-rule backend 2020-02-24 23:20:19 +01:00
Thomas Patzke
4ee2c2762e Sorting of backend and configuration lists 2020-02-24 22:59:59 +01:00
vh
5dc30bd388 Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
vh
516e61fdb0 t 2020-02-24 19:23:11 +02:00
Abhijit Khinvasara
8ad346362c remove print statements. 2020-02-22 20:59:56 -08:00
Abhijit Khinvasara
612df1666b add LOGIQ backend. 2020-02-22 20:50:30 -08:00
Thomas Patzke
12be884aa5 Merge branch 'sql-backend' 2020-02-21 22:41:53 +01:00
Thomas Patzke
776b58b594 Improved Splunk Zeek configuration 2020-02-21 22:31:14 +01:00
Thomas Patzke
746f957a63 Merge branch 'patch-1' of https://github.com/fuseyjz/sigma into fuseyjz-patch-1 2020-02-21 22:24:44 +01:00
Thomas Patzke
3047571132
Merge pull request #625 from ninoseki/fix-sigma2misp 
Update sigma2misp
 2020-02-21 22:22:54 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Manabu Niseki
c6eb3bfbf2 Update sigma2misp 
Make enable to use with modern PyMISP
 2020-02-20 18:55:10 +09:00