valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,711 Commits 20 Branches 25 Tags 21 MiB
491c519d1f
Commit Graph

1711 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
71ff6bd943 Catch type errors in configuration handling 2019-05-16 23:34:44 +02:00
Thomas Patzke
36aeb19721 Added title to all configurations 2019-05-16 23:33:51 +02:00
lliknart
f86342012a
Update elasticsearch.py 
From ElasticSearch 7.0, the URI to access to Watcher API changes

Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
 2019-05-16 16:17:57 +02:00
Florian Roth
9e2345c491
Merge pull request #338 from yt0ng/development 
Suspicious Outbound RDP Rule likely identifying CVE-2019-0708
 2019-05-15 21:35:52 +02:00
Florian Roth
a6d2a5d79b fix: more general fixes of the var type issue 2019-05-15 21:25:53 +02:00
Florian Roth
9f1bbb0a0d fix: missing type check in WDATP backend 2019-05-15 21:20:20 +02:00
Florian Roth
694fa567b6
Reformatted 2019-05-15 20:22:53 +02:00
Florian Roth
1c36bfde79
Bugfix - Swisscom in Newline 2019-05-15 15:03:55 +02:00
Florian Roth
d5f49c5777
Fixed syntax 2019-05-15 14:50:57 +02:00
Florian Roth
508d1cdae0
Removed double back slashes 2019-05-15 14:46:45 +02:00
Unknown
13522b97a7 Adjusting Newline 2019-05-15 12:15:41 +02:00
Unknown
275896dbe6 Suspicious Outbound RDP Rule likely identifying CVE-2019-0708 2019-05-15 11:47:12 +02:00
petermmm
b6c4e64a9b fixed attack category number 2->3 2019-05-12 11:59:13 +02:00
petermmm
2778558ae3 added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00
Florian Roth
5dfe39c05b
Merge pull request #335 from Codehardt/master 
fix: fixed reference list, otherwise it's not valid string list
 2019-05-10 14:06:11 +02:00
Codehardt
1ca57719b0 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:37:12 +02:00
Thomas Patzke
1c2bc87946
Merge pull request #334 from Codehardt/master 
fix: fixed reference list, otherwise it's not valid string list
 2019-05-10 10:19:56 +02:00
Codehardt
6585c83077 fix: fixed reference list, otherwise it's not valid string list 2019-05-10 10:13:35 +02:00
Thomas Patzke
526468bec3
Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url 
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
 2019-05-10 00:31:33 +02:00
Thomas Patzke
f4d8dcaa1e Merge branch 'Karneades-patch-1' 2019-05-10 00:21:15 +02:00
Thomas Patzke
25c0330dca Added filter 2019-05-10 00:20:56 +02:00
Thomas Patzke
995c03eef9 Merge branch 'patch-1' of https://github.com/Karneades/sigma into Karneades-patch-1 2019-05-10 00:15:51 +02:00
Thomas Patzke
a361664ed2
Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix 
Correct parenthesization for NOT expressions in the ES-QS backend
 2019-05-10 00:14:29 +02:00
Thomas Patzke
56f64ca47d
Merge pull request #315 from P4T12ICK/feature/net_dnc_c2_detection 
New C2 DNS Tunneling Sigma Detection Rule
 2019-05-10 00:12:39 +02:00
Thomas Patzke
c50119b913 Merge branch 'P4T12ICK-feature/lnx-priv-esc-prep' 2019-05-10 00:08:48 +02:00
Thomas Patzke
46c789105b Fix and ordering 2019-05-10 00:08:26 +02:00
Thomas Patzke
595f22552d Merge branch 'feature/lnx-priv-esc-prep' of https://github.com/P4T12ICK/sigma into P4T12ICK-feature/lnx-priv-esc-prep 2019-05-10 00:05:06 +02:00
Thomas Patzke
27199fc231 Merge branch 'neu5ron-patch-3' 2019-05-10 00:02:33 +02:00
Thomas Patzke
15a4c7e477 Fixed rule 2019-05-10 00:02:20 +02:00
Thomas Patzke
666e859d14 Merge branch 'patch-3' of https://github.com/neu5ron/sigma into neu5ron-patch-3 2019-05-10 00:00:14 +02:00
Thomas Patzke
14b10c232e Merge branch 'MadsRC-MadsRC-patch-1' 2019-05-09 23:58:14 +02:00
Thomas Patzke
f51e918a2e Small rule change 2019-05-09 23:57:55 +02:00
Thomas Patzke
31946426a5 Merge branch 'MadsRC-patch-1' of https://github.com/MadsRC/sigma into MadsRC-MadsRC-patch-1 2019-05-09 23:54:18 +02:00
Thomas Patzke
f01fbd6b79 Merge branch 2019-05-09 23:51:15 +02:00
Thomas Patzke
e60fe1f46d Changed rule 
* Adapted false positive notice to observation
* Decreased level
 2019-05-09 23:49:39 +02:00
Florian Roth
3dd76a9c5e Converted to generic process creation rule 
Previous rule was prone to FPs; more generic form
 2019-05-09 23:48:42 +02:00
Vasiliy Burov
792095734d Update win_proc_wrong_parent.yml 
changes accordingly this documents:
https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
 2019-05-09 23:48:36 +02:00
Florian Roth
378ba5b38f Transformed rule 
I would try it like this - the 4th selection for uncommon parents of explorer.exe looks prone to FPs

Fixed Typo

Changes to title and description
 2019-05-09 23:48:36 +02:00
Vasiliy Burov
8e6295e402 Windows processes with wrong parent 
Detect scenarios when malicious program is disguised as legitimate process
 2019-05-09 23:48:36 +02:00
Thomas Patzke
1e2ef92104 Merge branch 'vburov-patch-2' 2019-05-09 23:10:52 +02:00
Thomas Patzke
121e21960e Rule changes 
* Replaced variables with usual path names
* Removed Temp directories due to many false positives
* Matching on Image field, CommandLines often contain these paths
 2019-05-09 23:09:22 +02:00
Thomas Patzke
9b67705799 Merge branch 'patch-2' of https://github.com/vburov/sigma into vburov-patch-2 2019-05-09 22:55:07 +02:00
Thomas Patzke
763939a8ca Hide --shoot-yourself-in-the-foot 2019-04-25 23:42:13 +02:00
Thomas Patzke
eb022f3908 Conditional field mapping for null values 
Fixes #326
 2019-04-25 23:24:05 +02:00
Thomas Patzke
cfb4f32651 Backend es-dsl tolerates rules without title and log source 2019-04-25 22:41:31 +02:00
Florian Roth
16bf5eef0f
Merge pull request #327 from Codehardt/master 
Added logsources for generic sigma rules to spark config, renamed spa…
 2019-04-25 10:10:51 +02:00
Codehardt
17ae9ea91c Renamed spark config in setup.py 2019-04-25 09:56:29 +02:00
Codehardt
8cf505fcb3 Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 08:23:48 +02:00
Codehardt
79f7edb6b4 Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 08:15:50 +02:00
Thomas Patzke
6918784e87 Configuration order checking 2019-04-23 00:54:10 +02:00