valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,029 Commits 20 Branches 25 Tags 21 MiB
3d106d8e7f
Commit Graph

2029 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
a23f15d42b Converted rule to generic log source 2019-06-11 13:20:15 +02:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
John Tuckner
3529b717cb fixed backend errors in ala 2019-06-10 09:25:59 -05:00
Tareq AlKhatib
d61a971874 Minor refactors 2019-06-10 09:55:52 +03:00
Tareq AlKhatib
3bcfc53905 Corrected Typo 2019-06-10 09:54:37 +03:00
Tareq AlKhatib
fce2a45dac Corrected Typo 2019-06-10 09:51:34 +03:00
James Ahearn
eae7e3ab10 Web Source Code Enumeration via .git 2019-06-08 22:40:28 -04:00
Thomas Patzke
407d8214f7 Added APT40 Dropbox exfiltration proxy rule 2019-06-07 14:03:41 +02:00
yugoslavskiy
5827165c2d event id deleted 2019-06-03 15:51:54 +02:00
yugoslavskiy
cf947e3720 changed to process_creation category 2019-06-03 15:47:24 +02:00
yugoslavskiy
6a39b4fb41 date added 2019-06-03 15:42:02 +02:00
yugoslavskiy
10db09c596 rule added: Windows Kernel and 3rd-party drivers exploits. Token stealing 2019-06-03 15:37:41 +02:00
Florian Roth
a0c9f1594e Rule: renamed file - name was too generic 2019-06-02 10:57:44 +02:00
Florian Roth
491c519d1f Rule: added wmic SHADOWCOPY DELETE 2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln 2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c Rule: Split up WanaCry rule into two separate rules 2019-06-02 09:52:18 +02:00
Florian Roth
df35d70ab1
Merge pull request #361 from neu5ron/patch-4 
update correct process name
 2019-06-01 20:51:55 +02:00
Nate Guagenti
2163208e9c
update correct process name 
incorrect process name. accidentally had fsutil, should be bcdedit.

thanks to https://twitter.com/INIT_3 for pointing this out
 2019-06-01 09:50:50 -04:00
Thomas Patzke
8a0f706cca Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-05-30 23:24:37 +02:00
Thomas Patzke
1986bcb843 Sigma tools release 0.11 2019-05-30 22:56:38 +02:00
Thomas Patzke
4e96666c04
Merge pull request #336 from petermat/added_rule_T1156 
added rule .bash_profile and .bashrc T1156
 2019-05-30 22:43:33 +02:00
Thomas Patzke
673973e523
Merge pull request #357 from agix/es_dsl_bug 
fix missing condition when unique plus timeframe
 2019-05-30 22:42:09 +02:00
Thomas Patzke
fa0aaa7d2b Merge branch 'agix-elastalert_dsl_backend' 2019-05-30 22:38:41 +02:00
Thomas Patzke
67707b6c82 Added test for new elastalert-dsl backend 2019-05-30 22:38:12 +02:00
Thomas Patzke
8023011bb1 Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend 2019-05-30 22:33:57 +02:00
Florian GAULTIER
89c1d7b63d Wrong fix, self.queries should be emptied after copied to rule_object 2019-05-29 16:10:14 +02:00
Florian GAULTIER
748ac2e206 Dont combine multiple queries 2019-05-29 16:05:53 +02:00
Florian Roth
2cf402aa1f
Merge pull request #360 from spellanser/patch-1 
win_disable_event_logging.yml: typo in audit policy name;
 2019-05-29 15:07:46 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name; 2019-05-29 15:43:44 +03:00
Thomas Patzke
04d91573f3
Merge pull request #355 from agix/allow_empty_keyword 
Allow empty keyword_field
 2019-05-28 21:45:55 +02:00
Thomas Patzke
2ecc55c13f
Merge pull request #351 from ipninichuck/master 
added metadata field to the watcher alert
 2019-05-28 21:42:27 +02:00
Thomas Patzke
f3edc39535
Merge pull request #346 from tuckner/master 
Add Azure Log Analytics / Azure Sentinel to README list of integrations
 2019-05-28 21:41:19 +02:00
Florian GAULTIER
d866e75750 Be sure there is a key in the single condition 2019-05-27 17:27:16 +02:00
Florian GAULTIER
e8a7c5f7b9 fix missing condition when unique plus timeframe 2019-05-27 17:22:28 +02:00
Florian GAULTIER
6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Florian GAULTIER
4168c0ec64 Allow empty keyword_field 2019-05-27 15:08:33 +02:00
Thomas Patzke
36ba9f78da Improved message if configuration is missing 2019-05-27 13:18:36 +02:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master 
Add rule for CVE-2019-0708
 2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments 
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
 2019-05-27 08:54:18 +02:00
Thomas Patzke
38f3966751 Changed backend list formatting to new method 2019-05-26 22:58:14 +02:00
Thomas Patzke
eb9564557e Moved generic class discovery code into new tools module 2019-05-26 22:29:07 +02:00
Thomas Patzke
84690280c5 Improved behavior on missing configuration 
Listing all configus usable with chosen backend
 2019-05-24 22:41:47 +02:00
Thomas Patzke
241d814221 Merged WannaCry rules 2019-05-24 22:17:36 +02:00
Lionel PRAT
f65f693a88 Add rule for CVE-2019-0708 2019-05-24 10:01:19 +02:00
Florian Roth
7b63c92fc0 Rule: applying recommendation 
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
 2019-05-23 09:44:25 +02:00
Florian Roth
253417a367
Merge pull request #350 from olafhartong/master 
Rule Windows 10 scheduled task SandboxEscaper 0-day
 2019-05-22 13:54:45 +02:00
ipninichuck
75ec169d5c
added metadata field to the watcher alert 
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
 2019-05-22 04:30:47 -07:00
Olaf Hartong
b60cfbe244
Added password flag 2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule 2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2 Rule Windows 10 scheduled task SandboxEscaper 0-day 2019-05-22 12:36:03 +02:00