valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,809 Commits 20 Branches 25 Tags 21 MiB
4ee2c2762e
Commit Graph

2809 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thomas Patzke
4ee2c2762e Sorting of backend and configuration lists 2020-02-24 22:59:59 +01:00
vh
5dc30bd388 Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
vh
516e61fdb0 t 2020-02-24 19:23:11 +02:00
Florian Roth
91d1586b97
Merge pull request #633 from EccoTheFlintstone/fix_fp 
rule local account discovery: fix FP on rmdir matching dir
 2020-02-24 13:41:39 +01:00
ecco
aa1eff5419 fix FP on rmdir matching dir 2020-02-24 05:23:23 -05:00
Florian Roth
bfab143c7c
Merge pull request #632 from EccoTheFlintstone/fp_fix 
fix false positive on taskkill.exe not related to service stop at all
 2020-02-24 09:58:33 +01:00
Florian Roth
53ca71e7ae
Merge pull request #631 from EccoTheFlintstone/ascii_fix 
fix non ascii character in rule (probably a typo)
 2020-02-24 09:58:13 +01:00
ecco
f807dae69a fix false positive on taskkill.exe not related to service stop at all 2020-02-24 03:03:46 -05:00
ecco
1703b725d3 fix non ascii character in rule 2020-02-24 02:58:34 -05:00
Thomas Patzke
12be884aa5 Merge branch 'sql-backend' 2020-02-21 22:41:53 +01:00
Thomas Patzke
776b58b594 Improved Splunk Zeek configuration 2020-02-21 22:31:14 +01:00
Thomas Patzke
fa4c76871f Added CI test for sql backend 2020-02-21 22:27:55 +01:00
Thomas Patzke
746f957a63 Merge branch 'patch-1' of https://github.com/fuseyjz/sigma into fuseyjz-patch-1 2020-02-21 22:24:44 +01:00
Thomas Patzke
3047571132
Merge pull request #625 from ninoseki/fix-sigma2misp 
Update sigma2misp
 2020-02-21 22:22:54 +01:00
Thomas Patzke
61d31c3f3a Fixed tagging 2020-02-20 23:51:12 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Thomas Patzke
373424f145 Rule fixes 
Made tests pass the new CI tests. Added further allowed lower case words
in rule test.
 2020-02-20 23:00:16 +01:00
Manabu Niseki
c6eb3bfbf2 Update sigma2misp 
Make enable to use with modern PyMISP
 2020-02-20 18:55:10 +09:00
Florian Roth
a9403b70d5
Merge pull request #623 from Neo23x0/devel 
fix: fixing too restrictive rule
 2020-02-18 11:14:51 +01:00
Florian Roth
6413730810 fix: fixing too restrictive rule 
https://twitter.com/Hexacorn/status/1229702521679118336
 2020-02-18 10:43:22 +01:00
Florian Roth
f7a6ffa121
Merge pull request #622 from Neo23x0/devel 
Minor changes, process dump via rundll32 comsvcs.dll
 2020-02-18 10:26:28 +01:00
Florian Roth
04b97bd84c fix: character in filename 2020-02-18 10:19:48 +01:00
Florian Roth
5a4095f13f fix: restored GPL 2020-02-18 10:06:00 +01:00
Florian Roth
cd607d4fed rule: process dump via rundll32 and comsvcs.dll's MiniDumpW 2020-02-18 10:04:55 +01:00
Florian Roth
73dfc847fc rule: changed lsass process dump to level high 2020-02-18 10:03:25 +01:00
yugoslavskiy
7f3f1944d9 fix redundancy 2020-02-18 01:10:56 +03:00
Florian Roth
2363213fc9
add TimeSketch to list of products that use Sigma 2020-02-17 08:41:23 +01:00
Thomas Patzke
01d6c3b58d Fixes 2020-02-16 23:24:00 +01:00
yugoslavskiy
d0e284ae18 fix typo (duplicates) 2020-02-16 18:19:25 +03:00
yugoslavskiy
168ab7c620 Merge branch 'oscd' of https://github.com/Neo23x0/sigma into oscd 2020-02-16 17:57:48 +03:00
Thomas Patzke
f118839664 Further fixes and deduplications 
From suggestions of @yugoslavskiy in issue #554.
 2020-02-16 14:03:07 +01:00
Thomas Patzke
77c927bc14 Revert "Moved rules with enrichments into unsupported" 
This reverts commit ba83b8862a.
 2020-02-15 22:52:06 +01:00
Florian Roth
eb36150e6b rule: UserAgent used by PowerTon malware 2020-02-15 19:06:49 +01:00
Florian Roth
d909fefa82
Merge pull request #620 from james0d0a/master 
rule: Zeek Suspicious kerberos network traffic RC4
 2020-02-13 09:34:06 +01:00
Florian Roth
94bb7dd77f
fix: issues 2020-02-13 09:17:21 +01:00
Florian Roth
983f7fcd39
Merge pull request #618 from faloker/master 
More rules for AWS events
 2020-02-13 09:15:04 +01:00
james dickenson
21e4aa33dc rule modification: fixed filter condition on zeek suspicious rc4 traffic 2020-02-12 21:27:36 -08:00
james dickenson
1347e5060f logsource config for zeek events in splunk 2020-02-12 21:24:03 -08:00
james dickenson
93367d725d rule: zeek suspicious kerberos RC4 traffic 2020-02-12 21:21:46 -08:00
faloker
6d9c8e44d7
Update rules titles 2020-02-12 23:09:16 +02:00
faloker
1b15dba712
Correct the indentation 2020-02-12 22:48:46 +02:00
faloker
f387cf0c37
Add the rule to detect changes to startup scripts 2020-02-12 22:23:18 +02:00
faloker
01d2f9f99d
Add the rule to detect backdooring of users keys 2020-02-12 22:22:38 +02:00
faloker
b26c5d8c51
Add rules to detect AWS RDS exfiltration 2020-02-12 22:21:52 +02:00
faloker
ddf5f8ec23
Update conditions 2020-02-12 22:20:15 +02:00
faloker
aacab37f84
Add a rule for guardduty trusted IPs manipulation 2020-02-11 23:28:23 +02:00
faloker
b6c834195e
Add a rule for ec2 userdata exfil 2020-02-11 23:25:54 +02:00
Florian Roth
7a5587f14d
Merge pull request #616 from Neo23x0/devel 
rule: remove keywords in powershell rule prone to FPs
 2020-02-11 16:43:01 +01:00
Florian Roth
a4c210ed16 rule: remove keywords in powershell rule prone to FPs 2020-02-11 16:26:17 +01:00
Florian Roth
bf98d286f9
Merge pull request #615 from Neo23x0/devel 
fix: dumpert rule with wrong sysmon event id
 2020-02-08 20:03:28 +01:00