valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3,973 Commits 20 Branches 25 Tags 21 MiB
26b442ec48
Commit Graph

3973 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
9698e8fdf7 Changed Logpoint SubjectAccountName mapping to conditional mapping 2017-03-25 00:27:29 +01:00
Thomas Patzke
c978e19d88 Conditional field mappings 2017-03-25 00:21:44 +01:00
Thomas Patzke
a4465ce844 Added 1:n field mapping 
MultiFieldMapping
 2017-03-24 00:58:11 +01:00
Thomas Patzke
5009794591 Changes to field mappings 
* Introduced field mapping objects
* moved mapping from backends into parse tree generation
  (SigmaParser.parse_definition)
 2017-03-24 00:48:32 +01:00
Florian Roth
699c638ee2 Bugfix: Wrong Event ID and extended description 2017-03-23 11:50:30 +01:00
Florian Roth
d377884972 Rule: Rare scheduled tasks creations 2017-03-23 11:45:10 +01:00
Florian Roth
10ee36f26c Updated Eventvwr UAC evasion 2017-03-22 14:40:55 +01:00
Florian Roth
7e180365ab PowerShell Classic Log in Splunk Config Example 2017-03-22 11:17:46 +01:00
Florian Roth
fa37f5afcf Rules: PowerShell Downgrade Attacks 2017-03-22 11:17:46 +01:00
Thomas Patzke
4ff792fbcf Merge pull request #18 from benno001/patch-1 
LogPoint windows mapping
 2017-03-21 22:56:39 +01:00
Florian Roth
3bfa9ed121 Bugfix: Minor fix cause Sysmon uses SID as Software key 2017-03-21 10:44:53 +01:00
Florian Roth
b1da8c5b32 Bugfix: Fixed UAC bypass rules 2017-03-21 10:42:22 +01:00
Florian Roth
7ce958a3ed Bugfixes and improvements 2017-03-21 10:24:20 +01:00
Florian Roth
f9be5b99ad Rule: Suspicious task creation description changed 2017-03-21 10:23:53 +01:00
Florian Roth
6932fcec65 Rule: Linux shell more suspicious keywords 2017-03-21 10:23:12 +01:00
Florian Roth
055992eb05 Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00
Florian Roth
6f38a44ec1 Broader definition certutil.exe rule 2017-03-20 22:07:04 +01:00
Ben de Haan
c3c405a95e LogPoint windows mapping 2017-03-20 16:57:19 +01:00
Thomas Patzke
1bf11dc471 Merge pull request #17 from benno001/master 
Fixed LogPoint list behaviour
 2017-03-20 08:58:16 +01:00
Ben de Haan
c94b539b14 Fixed LogPoint list behaviour 2017-03-20 08:41:29 +01:00
Florian Roth
2817ea2605 Bugfix in UAC Rule 2017-03-19 19:46:19 +01:00
Florian Roth
b2c15c2cf7 Rule: UAC bypass via eventvwr, minor changes 2017-03-19 19:34:06 +01:00
Florian Roth
c82da0dc5c Rules: Suspicious locations and back connect ports 2017-03-19 15:22:27 +01:00
Thomas Patzke
d0bed75eb9 Added --output/-o parameter to sigmac 2017-03-18 23:15:03 +01:00
Thomas Patzke
889315c960 Changed values with placeholders to quoted strings 
Values beginning with % cause YAML parse error
 2017-03-18 23:05:16 +01:00
Florian Roth
f34156138f Bugfix - Index 2017-03-18 13:57:42 +01:00
Florian Roth
8403e8072c Merge pull request #14 from benno001/master 
Added LogPoint backend
 2017-03-18 13:30:35 +01:00
Florian Roth
264dab9330 Merge pull request #13 from yampelo/patch-2 
Create sysmon_sdclt_uac_bypass.yml
 2017-03-18 13:18:29 +01:00
Florian Roth
f292a259a5 Adjusted Windows Splunk Config 2017-03-18 13:12:31 +01:00
Ben de Haan
d18751a0ea Added LogPoint backend 2017-03-18 11:12:06 +01:00
Thomas Patzke
17c484163d Improved examples 2017-03-18 00:03:21 +01:00
Thomas Patzke
824f26c51c Merge branch 'master' of https://github.com/Neo23x0/sigma 2017-03-17 23:34:19 +01:00
Thomas Patzke
b4f52d9cfb Windows index in Splunk example configuration 2017-03-17 23:30:11 +01:00
Thomas Patzke
b865a858aa Generation of conditions for configured indices 2017-03-17 23:28:06 +01:00
Thomas Patzke
56f415e42c Fixed rule 2017-03-17 22:09:53 +01:00
Omer Yampel
d3bd73aefb Create sysmon_sdclt_uac_bypass.yml 
UAC Bypass from https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/. Sorry in advance for not being 100% about the sysmon event ids / fields
 2017-03-17 14:31:26 -04:00
Florian Roth
59499f926e Bugfix: Taskscheduler log source definition 2017-03-17 16:09:31 +01:00
Florian Roth
dc00baacda Splunk Windows Configuration Example 2017-03-17 10:00:56 +01:00
Florian Roth
dd81b18d6e Rule: Suspicious interactive console logons to servers 2017-03-17 09:44:24 +01:00
Florian Roth
bcc250e1c7 Added missing description 2017-03-17 08:43:21 +01:00
Florian Roth
e46ecd2aff Rule: Rare scheduled task installs 2017-03-17 08:41:27 +01:00
Florian Roth
3a7652fff9 Added references to rule 2017-03-17 00:25:54 +01:00
Florian Roth
c6843d41bc Rule: Vssadmin / NTDS.dit activity 2017-03-17 00:23:55 +01:00
Florian Roth
d00bbd9fb5 Rule: Windows recon activity 2017-03-16 18:59:17 +01:00
Florian Roth
140141b7a2 Rule: Suspicious PowerShell parent image combination 2017-03-16 18:58:59 +01:00
Florian Roth
091bb8fab7 Renamed and removed double space 2017-03-16 18:58:32 +01:00
Florian Roth
789b3899df Improved Linux Shell Activity Rule 2017-03-15 09:07:59 +01:00
Thomas Patzke
d2a9a91175 Log source conditions are integrated in generated expressions 
Indices not yet included
 2017-03-14 23:22:32 +01:00
Thomas Patzke
9f4d7c7934 Merge branch 'devel-sigmac' into devel-sigmac-config 2017-03-14 22:48:32 +01:00
Thomas Patzke
4d3756259e Merge branch 'master' into devel-sigmac 2017-03-14 22:48:15 +01:00