Florian Roth
491c519d1f
Rule: added wmic SHADOWCOPY DELETE
2019-06-02 10:56:13 +02:00
Florian Roth
80560dc12f
Rule: Scanner PoC for CVE-2019-0708 RDP RCE vuln
2019-06-02 09:52:18 +02:00
Florian Roth
5e7ae0590c
Rule: Split up WanaCry rule into two separate rules
2019-06-02 09:52:18 +02:00
Florian Roth
df35d70ab1
Merge pull request #361 from neu5ron/patch-4
...
update correct process name
2019-06-01 20:51:55 +02:00
Nate Guagenti
2163208e9c
update correct process name
...
incorrect process name. accidentally had fsutil, should be bcdedit.
thanks to https://twitter.com/INIT_3 for pointing this out
2019-06-01 09:50:50 -04:00
Thomas Patzke
8a0f706cca
Merge branch 'master' of https://github.com/Neo23x0/sigma
2019-05-30 23:24:37 +02:00
Thomas Patzke
1986bcb843
Sigma tools release 0.11
2019-05-30 22:56:38 +02:00
Thomas Patzke
4e96666c04
Merge pull request #336 from petermat/added_rule_T1156
...
added rule .bash_profile and .bashrc T1156
2019-05-30 22:43:33 +02:00
Thomas Patzke
673973e523
Merge pull request #357 from agix/es_dsl_bug
...
fix missing condition when unique plus timeframe
2019-05-30 22:42:09 +02:00
Thomas Patzke
fa0aaa7d2b
Merge branch 'agix-elastalert_dsl_backend'
2019-05-30 22:38:41 +02:00
Thomas Patzke
67707b6c82
Added test for new elastalert-dsl backend
2019-05-30 22:38:12 +02:00
Thomas Patzke
8023011bb1
Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend
2019-05-30 22:33:57 +02:00
Florian GAULTIER
89c1d7b63d
Wrong fix, self.queries should be emptied after copied to rule_object
2019-05-29 16:10:14 +02:00
Florian GAULTIER
748ac2e206
Dont combine multiple queries
2019-05-29 16:05:53 +02:00
Florian Roth
2cf402aa1f
Merge pull request #360 from spellanser/patch-1
...
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:07:46 +02:00
Sarkis Nanyan
60bc5253cf
win_disable_event_logging.yml: typo in audit policy name;
2019-05-29 15:43:44 +03:00
Thomas Patzke
04d91573f3
Merge pull request #355 from agix/allow_empty_keyword
...
Allow empty keyword_field
2019-05-28 21:45:55 +02:00
Thomas Patzke
2ecc55c13f
Merge pull request #351 from ipninichuck/master
...
added metadata field to the watcher alert
2019-05-28 21:42:27 +02:00
Thomas Patzke
f3edc39535
Merge pull request #346 from tuckner/master
...
Add Azure Log Analytics / Azure Sentinel to README list of integrations
2019-05-28 21:41:19 +02:00
Florian GAULTIER
d866e75750
Be sure there is a key in the single condition
2019-05-27 17:27:16 +02:00
Florian GAULTIER
e8a7c5f7b9
fix missing condition when unique plus timeframe
2019-05-27 17:22:28 +02:00
Florian GAULTIER
6bf010fb4b
introduce elastalert-dsl
...
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
2019-05-27 17:18:19 +02:00
Florian GAULTIER
4168c0ec64
Allow empty keyword_field
2019-05-27 15:08:33 +02:00
Thomas Patzke
36ba9f78da
Improved message if configuration is missing
2019-05-27 13:18:36 +02:00
Florian Roth
7c1e856095
Merge pull request #353 from lprat/master
...
Add rule for CVE-2019-0708
2019-05-27 09:11:17 +02:00
Florian Roth
323a7313fd
FP adjustments
...
We have checked the False Positive rate in different environments and noticed these event IDs in cases in which systems had bad network connections / we accessed via VPN. Therefore we reduced the level to "high" and added that note to the "False Positives" list.
2019-05-27 08:54:18 +02:00
Thomas Patzke
84690280c5
Improved behavior on missing configuration
...
Listing all configus usable with chosen backend
2019-05-24 22:41:47 +02:00
Thomas Patzke
241d814221
Merged WannaCry rules
2019-05-24 22:17:36 +02:00
Lionel PRAT
f65f693a88
Add rule for CVE-2019-0708
2019-05-24 10:01:19 +02:00
Florian Roth
7b63c92fc0
Rule: applying recommendation
...
https://twitter.com/SwiftOnSecurity/status/1131464234901094400
2019-05-23 09:44:25 +02:00
Florian Roth
253417a367
Merge pull request #350 from olafhartong/master
...
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 13:54:45 +02:00
ipninichuck
75ec169d5c
added metadata field to the watcher alert
...
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
2019-05-22 04:30:47 -07:00
Olaf Hartong
b60cfbe244
Added password flag
2019-05-22 13:20:26 +02:00
Florian Roth
346022cfe8
Transformed to process creation rule
2019-05-22 12:50:49 +02:00
Olaf Hartong
4a775650a2
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:36:03 +02:00
Olaf Hartong
e675cdf9c4
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:32:07 +02:00
Olaf Hartong
544dfe3704
Rule Windows 10 scheduled task SandboxEscaper 0-day
2019-05-22 12:28:42 +02:00
Florian Roth
c937fe3c1b
Rule: Terminal Service Process Spawn
2019-05-22 10:38:27 +02:00
Florian Roth
74ca0eeb88
Rule: Renamed PsExec
2019-05-21 09:49:40 +02:00
Thomas Patzke
2d0c08cc8b
Added wildcards to rule values
...
These values appear somewhere in a log message, therefore wildcards are
required.
2019-05-21 01:03:20 +02:00
tuckner
7d10491bf2
Update README.md
2019-05-20 17:46:28 -05:00
tuckner
5867b5da74
Update README.md
2019-05-20 17:45:18 -05:00
Thomas Patzke
194afa739f
Generate rule name for each condition
...
In backends kibana and xpack-watcher.
Fixes #329
2019-05-21 00:36:19 +02:00
Thomas Patzke
af0bd1b082
Removed debug code from backend option handling
...
Additionally: code simplification
2019-05-21 00:21:52 +02:00
Thomas Patzke
97541ac267
Added -C shortcut for --backend-config
2019-05-21 00:15:01 +02:00
Thomas Patzke
7e163d71eb
Added option to use old URL in xpack-watcher backend
2019-05-21 00:01:21 +02:00
Thomas Patzke
4e63e925cf
Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1
2019-05-20 23:43:49 +02:00
Thomas Patzke
11ed7e7ef8
Check for valid configuration/backend combinations
2019-05-20 01:00:33 +02:00
Thomas Patzke
e271484eef
Load configurations via new config management
2019-05-20 00:27:35 +02:00
Thomas Patzke
3d20e0bc98
Sigma configuration management with listing
...
Missing:
* Use config by identifier
2019-05-17 09:13:59 +02:00