valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
705 Commits 20 Branches 25 Tags 21 MiB
37ee355a77
Commit Graph

156 Commits

Author SHA1 Message Date
milkmix
37ee355a77 patched es-dsl 2018-05-17 08:44:50 +02:00
Thomas Patzke
738d03c751 Fixed position of line separation if rulecomment and verbose is active 2018-05-13 22:36:51 +02:00
Thomas Patzke
f60e7e125f Sigma tools release 0.4 
* Various bug fixes in quoting of specific characters
* New backend es-dsl
 2018-05-01 00:50:07 +02:00
Thomas Patzke
7647587a8b Fixed quoting of backslashes in generated queries 2018-05-01 00:45:59 +02:00
Thomas Patzke
de2ed08695 Merge branch 'ci-es' 2018-05-01 00:34:11 +02:00
Thomas Patzke
e411039b56 Fixed escaping of \u in Elasticsearch Query String queries 2018-05-01 00:05:16 +02:00
Thomas Patzke
aeda30a389 Python rewrite of es-qs query test 2018-04-11 23:59:44 +02:00
milkmix
0b3b0c3aaf imported es-dsl code from repo 2018-04-06 17:36:11 +02:00
Thomas Patzke
4183b1b59e Sigma tools release 0.3.3 2018-03-29 11:17:03 +02:00
Thomas Patzke
22ee6f4521 sigmac: escaped wildcards (\* and \?) are passed in generated query 2018-03-29 11:15:20 +02:00
Thomas Patzke
17c1c1adff Added field name mappings to HELK configuration 2018-03-27 14:41:02 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke
5f8b60cc24 sigmac: Improved fieldlist backend 
* Unique list of fields for multiple rules
* Aggregation support
 2018-03-22 00:03:51 +01:00
Thomas Patzke
5c0f811f4a Sigma tools release 0.3.2 2018-03-21 01:15:19 +01:00
Thomas Patzke
0018503501 sigmac: Fixed rulecommend backend option 2018-03-21 01:13:10 +01:00
Thomas Patzke
7360a68741 Sigma tools release 0.3.1 2018-03-21 00:59:23 +01:00
Thomas Patzke
4a9849b161 sigmac: improved backend options 
* parsing in main class
* help
 2018-03-21 00:53:44 +01:00
Thomas Patzke
bd20ffdad9 sigmac/kibana: curl URL quoted 2018-03-21 00:22:00 +01:00
Thomas Patzke
3f5f3a8d50 sigmac: Remove problematic characters from rule identifiers 2018-03-17 00:44:50 +01:00
Thomas Patzke
f6858c436a sigmac: Kibana curl output generates one index pattern line per pattern 2018-03-16 23:53:12 +01:00
Thomas Patzke
578118315c Merge branch 'devel-sigmac' into helk 2018-03-16 23:48:13 +01:00
Thomas Patzke
e162ba0155 Added HELK configuration 2018-03-16 23:42:31 +01:00
Thomas Patzke
13ec4c3e3b sigmac: Kibana curl importer script 2018-03-11 00:25:12 +01:00
Thomas Patzke
54d9e52527 Sigma tools release 0.3 2018-03-06 23:21:13 +01:00
Thomas Patzke
3b8b04fe09 Merge branch 'devel-sigmac' 2018-03-06 23:19:45 +01:00
Thomas Patzke
7141729ffc sigma/parser: Introduced new conditions 
* Any definition: 1 of them
* All definitions: all of them
* Any of selected definitions: 1 of def* (wildcard)
* All of selected definitions: all of def* (wildcard)
 2018-03-06 23:13:42 +01:00
Thomas Patzke
5a97befea0 Sigma tools release 0.2 2018-03-04 23:03:19 +01:00
Thomas Patzke
647fc6187a sigmac: Added proper 'Content-Type' header for xpack-watcher backend 2018-03-04 22:58:15 +01:00
Thomas Patzke
89aa300bbc Improved xpack-watcher actions 
* Log and mail
* Details in message
 2018-02-09 00:03:41 +01:00
Thomas Patzke
8336929d76 XPack Watcher Backend: Improved aggregation capabilities 
* Aggregation with "...count(field)...", "...by field..." and
  combination of both
* Still only count() supported
 2018-02-08 22:17:35 +01:00
Thomas Patzke
4762a1cc30 Removed abandoned SigmaAggregationParser.trans_timeframe() method 2018-02-05 23:30:00 +01:00
Thomas Patzke
ec3f0f6d60 Fixed before/after logic 
If nothing was generated "None" was printed.
 2018-02-01 22:49:02 +01:00
Thomas Patzke
76bdcba71f Added rulecomment option to all single-query output backends 
Prints comment with rule before output.
 2018-01-27 23:48:10 +01:00
Thomas Patzke
7708a538f4 New PyPI release 2017-12-14 22:40:31 +01:00
Thomas Patzke
fc2dd90aaf Skipping dotfiles 2017-12-14 22:39:51 +01:00
Thomas Patzke
497496fdf1 New release 2017-12-13 00:28:50 +01:00
Thomas Patzke
f3d19f394e Fixed encoding issues 
Some OS environments don't use UTF-8 as default encoding. Enforced it
for output files and stdout.
 2017-12-13 00:12:56 +01:00
Thomas Patzke
19cc299c57 Added PyPI README 2017-12-09 22:13:25 +01:00
Thomas Patzke
fd7b7bb438 Fixed build 
Reference to main README
 2017-12-09 08:57:51 +01:00
Thomas Patzke
da9127276c PyPI release documentation 2017-12-09 00:23:34 +01:00
Thomas Patzke
d6526387d3 Renamed PyPI package 2017-12-09 00:15:34 +01:00
Thomas Patzke
d82a78fa3d Finalizing PyPI release 
* Removed .py suffix from command line tools
* sigmac tells when it does nothing and prints usage notice
* Makefile upload target
* minor changes
 2017-12-08 23:50:08 +01:00
Thomas Patzke
09d40ab2da Finished packaging and refactoring 2017-12-08 22:32:39 +01:00
Thomas Patzke
68d8afe4e6 Intermediate refactoring commit: moving code into package 
Further splitting sigma.py into smaller parts.
 2017-12-08 21:45:05 +01:00
Thomas Patzke
11f52b981b Merge branch 'lgpl' into packaging 2017-12-08 17:15:23 +01:00
Thomas Patzke
764e064f8c First (untested) packaging 2017-12-08 00:32:41 +01:00
Thomas Patzke
2ce0be1f2d Re-licensing toolchain under LGPLv3 
Thanks to Ben de Haan and Devin Ferguson for permission for this change.
 2017-12-07 21:55:43 +01:00
Thomas Patzke
3b9ff57a38 Added merge_sigma tool 
* Tests
* Restructured Makefile
 2017-11-14 22:17:18 +01:00
Thomas Patzke
f478cffb41 Added default index configs for usual ELK setups 
* Added test case for defaultindex with kibana backend
 2017-11-09 10:05:41 +01:00
Thomas Patzke
46f1ce35a8 sigmac/kibana backend: added index fallback if none determined 2017-11-09 10:02:23 +01:00