Commit Graph

4011 Commits

Author SHA1 Message Date
grikos
ac0e42d0e2
Merge pull request #2 from aw350m33d/master
sync master
2020-08-25 23:07:48 +03:00
Thomas Patzke
b742e4ef08
Merge pull request #990 from neu5ron/es_backend
ES and Readme from SOC Prime
2020-08-25 21:34:55 +02:00
Nate Guagenti
f21b3c50c6 control whether to use an analyzed field or different type if a query/value contains a wildcard.
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
2020-08-25 13:13:18 -04:00
Nate Guagenti
a7ffb96b6b elasticsearch regex escape of '.' for case insensitivity backend options
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
2020-08-25 13:10:25 -04:00
Nate Guagenti
474e04dfe3 add new options to readme for elasticbackend
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
2020-08-25 13:00:22 -04:00
Nate Guagenti
76910eaee4 fix sub field name usage if there are 3 or more fields..
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
2020-08-25 12:56:57 -04:00
Nate Guagenti
0d713e4544 control whether to use an analyzed field or different type if a query/value contains a wildcard.
Signed-off-by: Nate Guagenti <neu5ron@users.noreply.github.com>
2020-08-25 12:56:33 -04:00
Timur Zinniatullin
8dba6ceee6 2nd review 2020-08-25 09:31:38 +03:00
Timur Zinniatullin
1244cacfbf Update lnx_auditd_create_account.yml 2020-08-25 09:20:27 +03:00
aw350m3
c28fce6273 fix duplication of key "modified" in mapping 2020-08-25 00:53:09 +00:00
aw350m3
c22273d162 fix duplication of key modified in mapping 2020-08-25 00:50:38 +00:00
aw350m3
5af0f1392d att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:35 +00:00
aw350m3
399f378269 att&ck tags review: windows/powershell, windows/process_access, windows/network_connection 2020-08-24 23:31:26 +00:00
Yugoslavskiy Daniil
5026438524 fix modified field 2020-08-25 01:29:57 +02:00
aw350m3
1999fb609e Merge branch 'master' of github.com:oscd-initiative/sigma 2020-08-24 23:14:13 +00:00
Yugoslavskiy Daniil
f274f39b54 Merge branch 'master' of https://github.com/oscd-initiative/sigma 2020-08-25 01:09:24 +02:00
Yugoslavskiy Daniil
42c4079ed8 att&ck tags review: windows/builtin, windows/driver_load, windows/file_event, windows/image_load, windows/other 2020-08-25 01:09:17 +02:00
Florian Roth
5a9ed1da15
Merge pull request #988 from defensivedepth/master
Zeek RDP rule
2020-08-24 12:39:49 +02:00
aw350m3
ba2e891433 windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00
aw350m3
08170bbcca fix tags for suspicious outbound kerberos activity rule 2020-08-23 21:10:29 +00:00
Josh Brower
4c4b8db7cf
Zeek RDP rule 2020-08-23 13:16:42 -04:00
aw350m3
4cdd8be354 Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:20:58 +00:00
aw350m3
3aa1ad68fb windows/process_access folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:03:06 +00:00
aw350m3
80deaf84ca windows/network_connection folder reviewed 2020-08-22 23:36:30 +00:00
Florian Roth
437a807a1d
Merge pull request #985 from architect00/master
added troubleshooting links to root README.md
2020-08-20 14:56:27 +02:00
David Straßegger
1e8a5b64d9 added troubleshooting links to root README.md 2020-08-20 14:02:26 +02:00
Florian Roth
79adaceffa
Merge pull request #979 from barvhaim/patch-3
Update win_susp_rasdial_activity.yml to use `contains` instead of `equal`
2020-08-18 15:08:15 +02:00
Florian Roth
bc74ac1f8a
Update win_susp_rasdial_activity.yml 2020-08-18 14:40:37 +02:00
Florian Roth
fd23a18241
Merge pull request #982 from tungn12/master
Carbon black mapping wrong and fix wild card
2020-08-18 14:33:22 +02:00
Florian Roth
0ba9383774
Merge pull request #984 from EccoTheFlintstone/fix_fp3
SIGMA ASEP: remove some false positives
2020-08-18 14:29:35 +02:00
ecco
de4810233c remove false positives in Windows being too broad and add specific keys looked at + add keys from wow64 2020-08-18 05:28:37 -04:00
tung12
1921e9dd89 Fix wild card and some escaped characters 2020-08-18 15:57:13 +07:00
SOC Prime
d3ba1e4fb8
Add sysmon backend 2020-08-18 11:20:22 +03:00
SOC Prime
8fead9f864
Merge pull request #4 from Neo23x0/master
Repositories synchronization
2020-08-18 11:12:15 +03:00
Florian Roth
da54e89f30
Merge pull request #976 from diskurse/rule-devel
Rule devel
2020-08-17 15:02:31 +02:00
Florian Roth
8a02541b0a
style: removed lists where unnecessary 2020-08-17 15:02:16 +02:00
Florian Roth
6dc8dbb6d8
style: removed lists where unnecessary 2020-08-17 15:01:52 +02:00
tung12
172f7b371e Change mapped Image to path 2020-08-17 15:05:44 +07:00
Bar Haim
bd96b1c5ad
Update win_susp_rasdial_activity.yml
`rasdial` is an `exe`, and probably appear as `rasdial.exe`
`LIKE` is more fit in this case
2020-08-16 16:17:49 +03:00
Bar Haim
c7dc9df87e
Update sysmon_apt_muddywater_dnstunnel.yml 2020-08-16 12:39:04 +03:00
Bar Haim
4168f1e430
Update win_new_service_creation.yml 2020-08-16 11:44:40 +03:00
Thomas Patzke
3d9855dd06
Merge pull request #975 from scottdermott/master
+ Adding Mitre Sub-Techniques and python update script to fetch latest from Mitre CTI
2020-08-13 13:18:57 +02:00
Cian Heasley
b378b3d62b
win_mouse_lock.yml
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
2020-08-13 12:09:07 +01:00
Cian Heasley
6fa5a6c93d
Delete win_mouse_lock.yml 2020-08-13 12:08:04 +01:00
Cian Heasley
b8b4ab5a2a
win_mouse_lock.yml
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
2020-08-13 12:07:34 +01:00
Cian Heasley
d1e9f01d23
win_dnscat2_powershell_implementation.yml
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
2020-08-13 12:06:48 +01:00
Dermott, Scott J
7e6828dd40 + Adding Mitre Sub-Techniques and python update script to fetch latest Pre, Enterprise & Mobile Tactics and Techniques from Mitre CTI 2020-08-13 10:24:44 +01:00
Florian Roth
2e29c07e83
Merge pull request #928 from duzvik/master
Create sysmon_abusing_azure_browser_sso.yml
2020-08-12 17:15:27 +02:00
Florian Roth
61a05ee054
reordered fields, changed indentation 2020-08-12 16:44:37 +02:00
Thomas Patzke
01125ffd3b Fixed: Elastalert backend handling of conditional field mappings 2020-08-11 23:29:18 +02:00