Commit Graph

3582 Commits

Author SHA1 Message Date
Florian Roth
bb86d9c125
Merge pull request #875 from Neo23x0/rule-devel
fix: duplicate IDs and rule titles
2020-07-01 16:58:06 +02:00
Florian Roth
4c4ed1a4a2 fix: duplicate IDs and rule titles 2020-07-01 16:37:27 +02:00
Florian Roth
61c3b2e0d6
Merge pull request #873 from Neo23x0/rule-devel
fix: remove duplicate rules in sysmon (generic rule cleanup)
2020-07-01 11:29:04 +02:00
Florian Roth
9c0f9f398f refactor: sysmon rule cleanup > generlization 2020-07-01 10:58:39 +02:00
Florian Roth
4231fe2efc fix: remove duplicate rules in sysmon (generic rule cleanup) 2020-07-01 10:23:30 +02:00
Florian Roth
bc71ee5614
Merge pull request #872 from Neo23x0/rule-devel
Rule devel
2020-07-01 10:16:57 +02:00
Florian Roth
ab40cdbbd7 fix: missing ATT&CK id 2020-07-01 09:57:35 +02:00
Florian Roth
154181c6c8 fix: renamed files and lien break change 2020-07-01 09:48:48 +02:00
Florian Roth
d70b63b78c rule: RedMimicry rules (modified) 2020-07-01 09:17:31 +02:00
Florian Roth
fe71d21d97 style: removed new lines 2020-07-01 09:11:00 +02:00
Florian Roth
b7ac36e6ab Merge branch 'master' into rule-devel 2020-07-01 09:04:46 +02:00
Florian Roth
f2587791f2 rule: suspicious rar flags 2020-07-01 09:04:26 +02:00
Chris Brake
6ed1ea6509 Updating the mdatp backend file as it is currently impossible to set an ActionType as there is no mapping to EventType 2020-06-30 14:49:29 +01:00
Florian Roth
ba682c5de6
Merge pull request #863 from qwerty1q2w/feature
add win_not_allowed_rdp_access.yml rule
2020-06-30 10:03:11 +02:00
Florian Roth
77553e11e8
Update win_not_allowed_rdp_access.yml 2020-06-30 10:03:00 +02:00
Florian Roth
2e3669a5a4
Merge pull request #865 from j91321/defender-rules
Windows Defender logsource and rules
2020-06-30 10:01:17 +02:00
Florian Roth
eb3a6e86af
Merge pull request #867 from HarishHary/suspicious_powershell_parent_process
New Rule: Suspicious powershell parent process
2020-06-30 10:00:28 +02:00
Florian Roth
2c3f98dc83
Merge pull request #868 from HarishHary/pwsh_xor_commandline
New Rule: PowerShell xor commandline
2020-06-30 10:00:07 +02:00
Harish SEGAR
9c74018e12 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:18:25 +02:00
Harish SEGAR
5e740fd7b2 Added new rule for pwsh_xor_cmd (sysmon) 2020-06-29 22:13:49 +02:00
Harish SEGAR
649e4eaa63 Added new rule for pwsh_xor_cmd 2020-06-29 22:09:58 +02:00
Florian Roth
5a11ef90d0
rule reorganized 2020-06-29 21:24:47 +02:00
Harish SEGAR
1a088425f9 Fix rules. 2020-06-29 20:42:35 +02:00
Ömer Günal
0c3ce445da
Delete remote_copy.yml 2020-06-29 18:51:18 +03:00
Florian Roth
bb214f5832 rule: Explorer Root Flag Process Tree Break 2020-06-29 12:07:15 +02:00
j91321
24029d998a FIX: lint error for title 2020-06-28 11:05:19 +02:00
j91321
ae842a65cb Windows Defender rules and logsource 2020-06-28 10:55:32 +02:00
Christian Clauss
9dc3940c07
Fix undefined names in sigma2misp.py
create_new_event() -> create_new_event(args, misp) to fix:

flake8 testing of https://github.com/Neo23x0/sigma on Python 3.8.3

% _flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics_
```
./tools/sigma/sigma2misp.py:11:16: F821 undefined name 'misp'
    if hasattr(misp, "new_event"):
               ^
./tools/sigma/sigma2misp.py:12:16: F821 undefined name 'misp'
        return misp.new_event(info=args.info)["Event"]["id"]
               ^
./tools/sigma/sigma2misp.py:12:36: F821 undefined name 'args'
        return misp.new_event(info=args.info)["Event"]["id"]
                                   ^
./tools/sigma/sigma2misp.py:14:13: F821 undefined name 'misp'
    event = misp.MISPEvent()
            ^
./tools/sigma/sigma2misp.py:15:18: F821 undefined name 'args'
    event.info = args.info
                 ^
./tools/sigma/sigma2misp.py:16:12: F821 undefined name 'misp'
    return misp.add_event(event)["Event"]["id"]
           ^
6     F821 undefined name 'misp'
6
```
2020-06-28 07:02:41 +02:00
Thomas Patzke
0ee47e118c Merge branch 'pr-848' 2020-06-28 01:04:30 +02:00
Thomas Patzke
89ed9f3763
Merge pull request #819 from cclauss/patch-2
Undefined name: from .exceptions import SigmaCollectionParseError
2020-06-28 00:37:09 +02:00
Thomas Patzke
4309082d6b
Merge pull request #818 from cclauss/patch-1
Undefined name: parser_print_help() --> parser.print_help()
2020-06-28 00:34:27 +02:00
Thomas Patzke
09378b5ebf Fixed unsupported attempt to index a set 2020-06-28 00:27:33 +02:00
Thomas Patzke
415f826ece Merge branch 'default-pop' of https://github.com/rtkbkish/sigma into rtkbkish-default-pop 2020-06-28 00:09:39 +02:00
Thomas Patzke
b1e4f44c21
Merge pull request #823 from Kuermel/master
Add more Options for XPackWatcherBackend (Elasticsearch)
2020-06-28 00:03:04 +02:00
Thomas Patzke
d1f37bdbd4
Merge pull request #828 from stevengoossensB/master
Split rules based on Sysmon event ID
2020-06-28 00:00:32 +02:00
Thomas Patzke
de5e453e19
Merge pull request #831 from 404d/cbr-backend-tweaks
Add parentheses around field list groups in CB
2020-06-27 23:39:57 +02:00
Pushkarev Dmitry
502ec4b417 add win_not_allowed_rdp_access.yml rule 2020-06-26 22:15:53 +00:00
Florian Roth
555c94bd7e
Merge pull request #861 from jaegeral/patch-4
s/straight forward/straightforward
2020-06-26 15:40:09 +02:00
Alexander J
839e06e37a
s/straight forward/straightforward
Fix a typo.
2020-06-26 12:40:06 +02:00
Florian Roth
da46ff6e93 docs: descriptions for source configs 2020-06-25 13:59:51 +02:00
Florian Roth
825bda397d desc: better descriptions in help for backends and configurations 2020-06-25 13:21:43 +02:00
Florian Roth
3decee07ba fix: bugfix and cosmetics 2020-06-24 18:10:58 +02:00
Florian Roth
07c0a6558e fix: wording on sysmon mapping file 2020-06-24 17:49:42 +02:00
Florian Roth
f3fedef8f5 Changed category names and remove sysmon log source 2020-06-24 17:41:21 +02:00
Florian Roth
4224a6517d
Merge pull request #859 from Neo23x0/rule-devel
fix: duplicate IDs
2020-06-24 17:23:13 +02:00
Florian Roth
6d7f991424
Merge pull request #853 from rtkbkish/fix-win_ad_object_writedac_access
Fix quoting for AD Object WriteDAC Access
2020-06-24 17:06:15 +02:00
Florian Roth
c3ffa0b9d3 fix: duplicate IDs 2020-06-24 17:04:04 +02:00
Brad Kish
d385cbfa69 Fix quoting for AD Object WriteDAC Access
The AccessMask field needs to be quoted so that it is compared correctly.
2020-06-22 15:31:03 -04:00
Ömer Günal
4eb97ec43d
Update lnx_file_copy.yml 2020-06-22 21:35:50 +03:00
Florian Roth
e2a16087c9
Merge pull request #851 from ozirus/master
Update for new method
2020-06-22 20:11:39 +02:00