Florian Roth
|
bb86d9c125
|
Merge pull request #875 from Neo23x0/rule-devel
fix: duplicate IDs and rule titles
|
2020-07-01 16:58:06 +02:00 |
|
Florian Roth
|
4c4ed1a4a2
|
fix: duplicate IDs and rule titles
|
2020-07-01 16:37:27 +02:00 |
|
Florian Roth
|
61c3b2e0d6
|
Merge pull request #873 from Neo23x0/rule-devel
fix: remove duplicate rules in sysmon (generic rule cleanup)
|
2020-07-01 11:29:04 +02:00 |
|
Florian Roth
|
9c0f9f398f
|
refactor: sysmon rule cleanup > generlization
|
2020-07-01 10:58:39 +02:00 |
|
Florian Roth
|
4231fe2efc
|
fix: remove duplicate rules in sysmon (generic rule cleanup)
|
2020-07-01 10:23:30 +02:00 |
|
Florian Roth
|
bc71ee5614
|
Merge pull request #872 from Neo23x0/rule-devel
Rule devel
|
2020-07-01 10:16:57 +02:00 |
|
Florian Roth
|
ab40cdbbd7
|
fix: missing ATT&CK id
|
2020-07-01 09:57:35 +02:00 |
|
Florian Roth
|
154181c6c8
|
fix: renamed files and lien break change
|
2020-07-01 09:48:48 +02:00 |
|
Florian Roth
|
d70b63b78c
|
rule: RedMimicry rules (modified)
|
2020-07-01 09:17:31 +02:00 |
|
Florian Roth
|
fe71d21d97
|
style: removed new lines
|
2020-07-01 09:11:00 +02:00 |
|
Florian Roth
|
b7ac36e6ab
|
Merge branch 'master' into rule-devel
|
2020-07-01 09:04:46 +02:00 |
|
Florian Roth
|
f2587791f2
|
rule: suspicious rar flags
|
2020-07-01 09:04:26 +02:00 |
|
Chris Brake
|
6ed1ea6509
|
Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType
|
2020-06-30 14:49:29 +01:00 |
|
Florian Roth
|
ba682c5de6
|
Merge pull request #863 from qwerty1q2w/feature
add win_not_allowed_rdp_access.yml rule
|
2020-06-30 10:03:11 +02:00 |
|
Florian Roth
|
77553e11e8
|
Update win_not_allowed_rdp_access.yml
|
2020-06-30 10:03:00 +02:00 |
|
Florian Roth
|
2e3669a5a4
|
Merge pull request #865 from j91321/defender-rules
Windows Defender logsource and rules
|
2020-06-30 10:01:17 +02:00 |
|
Florian Roth
|
eb3a6e86af
|
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process
New Rule: Suspicious powershell parent process
|
2020-06-30 10:00:28 +02:00 |
|
Florian Roth
|
2c3f98dc83
|
Merge pull request #868 from HarishHary/pwsh_xor_commandline
New Rule: PowerShell xor commandline
|
2020-06-30 10:00:07 +02:00 |
|
Harish SEGAR
|
9c74018e12
|
Added new rule for pwsh_xor_cmd (sysmon)
|
2020-06-29 22:18:25 +02:00 |
|
Harish SEGAR
|
5e740fd7b2
|
Added new rule for pwsh_xor_cmd (sysmon)
|
2020-06-29 22:13:49 +02:00 |
|
Harish SEGAR
|
649e4eaa63
|
Added new rule for pwsh_xor_cmd
|
2020-06-29 22:09:58 +02:00 |
|
Florian Roth
|
5a11ef90d0
|
rule reorganized
|
2020-06-29 21:24:47 +02:00 |
|
Harish SEGAR
|
1a088425f9
|
Fix rules.
|
2020-06-29 20:42:35 +02:00 |
|
Ömer Günal
|
0c3ce445da
|
Delete remote_copy.yml
|
2020-06-29 18:51:18 +03:00 |
|
Florian Roth
|
bb214f5832
|
rule: Explorer Root Flag Process Tree Break
|
2020-06-29 12:07:15 +02:00 |
|
j91321
|
24029d998a
|
FIX: lint error for title
|
2020-06-28 11:05:19 +02:00 |
|
j91321
|
ae842a65cb
|
Windows Defender rules and logsource
|
2020-06-28 10:55:32 +02:00 |
|
Christian Clauss
|
9dc3940c07
|
Fix undefined names in sigma2misp.py
create_new_event() -> create_new_event(args, misp) to fix:
flake8 testing of https://github.com/Neo23x0/sigma on Python 3.8.3
% _flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics_
```
./tools/sigma/sigma2misp.py:11:16: F821 undefined name 'misp'
if hasattr(misp, "new_event"):
^
./tools/sigma/sigma2misp.py:12:16: F821 undefined name 'misp'
return misp.new_event(info=args.info)["Event"]["id"]
^
./tools/sigma/sigma2misp.py:12:36: F821 undefined name 'args'
return misp.new_event(info=args.info)["Event"]["id"]
^
./tools/sigma/sigma2misp.py:14:13: F821 undefined name 'misp'
event = misp.MISPEvent()
^
./tools/sigma/sigma2misp.py:15:18: F821 undefined name 'args'
event.info = args.info
^
./tools/sigma/sigma2misp.py:16:12: F821 undefined name 'misp'
return misp.add_event(event)["Event"]["id"]
^
6 F821 undefined name 'misp'
6
```
|
2020-06-28 07:02:41 +02:00 |
|
Thomas Patzke
|
0ee47e118c
|
Merge branch 'pr-848'
|
2020-06-28 01:04:30 +02:00 |
|
Thomas Patzke
|
89ed9f3763
|
Merge pull request #819 from cclauss/patch-2
Undefined name: from .exceptions import SigmaCollectionParseError
|
2020-06-28 00:37:09 +02:00 |
|
Thomas Patzke
|
4309082d6b
|
Merge pull request #818 from cclauss/patch-1
Undefined name: parser_print_help() --> parser.print_help()
|
2020-06-28 00:34:27 +02:00 |
|
Thomas Patzke
|
09378b5ebf
|
Fixed unsupported attempt to index a set
|
2020-06-28 00:27:33 +02:00 |
|
Thomas Patzke
|
415f826ece
|
Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop
|
2020-06-28 00:09:39 +02:00 |
|
Thomas Patzke
|
b1e4f44c21
|
Merge pull request #823 from Kuermel/master
Add more Options for XPackWatcherBackend (Elasticsearch)
|
2020-06-28 00:03:04 +02:00 |
|
Thomas Patzke
|
d1f37bdbd4
|
Merge pull request #828 from stevengoossensB/master
Split rules based on Sysmon event ID
|
2020-06-28 00:00:32 +02:00 |
|
Thomas Patzke
|
de5e453e19
|
Merge pull request #831 from 404d/cbr-backend-tweaks
Add parentheses around field list groups in CB
|
2020-06-27 23:39:57 +02:00 |
|
Pushkarev Dmitry
|
502ec4b417
|
add win_not_allowed_rdp_access.yml rule
|
2020-06-26 22:15:53 +00:00 |
|
Florian Roth
|
555c94bd7e
|
Merge pull request #861 from jaegeral/patch-4
s/straight forward/straightforward
|
2020-06-26 15:40:09 +02:00 |
|
Alexander J
|
839e06e37a
|
s/straight forward/straightforward
Fix a typo.
|
2020-06-26 12:40:06 +02:00 |
|
Florian Roth
|
da46ff6e93
|
docs: descriptions for source configs
|
2020-06-25 13:59:51 +02:00 |
|
Florian Roth
|
825bda397d
|
desc: better descriptions in help for backends and configurations
|
2020-06-25 13:21:43 +02:00 |
|
Florian Roth
|
3decee07ba
|
fix: bugfix and cosmetics
|
2020-06-24 18:10:58 +02:00 |
|
Florian Roth
|
07c0a6558e
|
fix: wording on sysmon mapping file
|
2020-06-24 17:49:42 +02:00 |
|
Florian Roth
|
f3fedef8f5
|
Changed category names and remove sysmon log source
|
2020-06-24 17:41:21 +02:00 |
|
Florian Roth
|
4224a6517d
|
Merge pull request #859 from Neo23x0/rule-devel
fix: duplicate IDs
|
2020-06-24 17:23:13 +02:00 |
|
Florian Roth
|
6d7f991424
|
Merge pull request #853 from rtkbkish/fix-win_ad_object_writedac_access
Fix quoting for AD Object WriteDAC Access
|
2020-06-24 17:06:15 +02:00 |
|
Florian Roth
|
c3ffa0b9d3
|
fix: duplicate IDs
|
2020-06-24 17:04:04 +02:00 |
|
Brad Kish
|
d385cbfa69
|
Fix quoting for AD Object WriteDAC Access
The AccessMask field needs to be quoted so that it is compared correctly.
|
2020-06-22 15:31:03 -04:00 |
|
Ömer Günal
|
4eb97ec43d
|
Update lnx_file_copy.yml
|
2020-06-22 21:35:50 +03:00 |
|
Florian Roth
|
e2a16087c9
|
Merge pull request #851 from ozirus/master
Update for new method
|
2020-06-22 20:11:39 +02:00 |
|