valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,245 Commits 20 Branches 25 Tags 21 MiB
5cfd837776
Commit Graph

842 Commits

Author SHA1 Message Date
Thomas G
8c61dc9248
Add more Options for XPackWatcherBackend (Elasticsearch) 
Add action_throttle_period, mail_from adn mail_profile to the XPackWatcherBackend (Elasticsearch)
 2020-06-09 20:57:26 +02:00
Nate Guagenti
117ceac492 moved file to ecs-zeek-elastic-beats-implementation.yml 2020-06-09 08:56:01 -04:00
Christian Clauss
dff7efc173
Update collection.py 2020-06-08 13:55:52 +02:00
Christian Clauss
55c0a03564
Undefined name: from .exceptions import SigmaCollectionParseError 
Discovered in #378.  `SigmaCollectionParseError()` is called on line 55 but it is never defined or imported which means that NameError will be raised instead of SigmaCollectionParseError.
 2020-06-08 13:55:16 +02:00
Florian Roth
94b90adf10 docs: move Sigmac help from Wiki to repo 2020-06-07 12:18:37 +02:00
Thomas Patzke
36a7077648 Moved tool executables to new location 2020-06-07 01:14:04 +02:00
Thomas Patzke
a7d18c7ed9 Converted sigma2attack and added to entry points 2020-06-07 01:03:09 +02:00
Thomas Patzke
8688e8a2a1 Script entrypoint stubs 2020-06-07 00:22:59 +02:00
Thomas Patzke
7d70cd95a4 Deduplicated backend list 2020-06-06 01:03:02 +02:00
Thomas Patzke
fb9855bd3b Added description to es-rule backend 2020-06-06 01:02:44 +02:00
Thomas Patzke
1d211565fc Moved backend options list to --backend-help 2020-06-06 00:56:00 +02:00
Thomas Patzke
c992dc5215 Improved test coverage 2020-06-05 23:33:51 +02:00
Thomas Patzke
5d88d97c73 Merge branch 'improvements/improved_mdatp_mappings' of https://github.com/wietze/sigma into wietze-improvements/improved_mdatp_mappings 2020-06-05 23:03:52 +02:00
Jonas Plum
3a6ac5bd5c Remove unused function 2020-05-30 01:57:06 +02:00
Jonas Plum
70935d26ce Add license header 2020-05-29 23:56:05 +02:00
Jonas Hagg
dedfb65d63 Implemented Aggregation for SQL, Added SQLite FullTextSearch 2020-05-25 11:58:55 +02:00
Thomas Patzke
daf7ab5ff7 Cleanup: removal of corelight_* backends 2020-05-24 22:41:38 +02:00
Thomas Patzke
d45f8e19fe Fixes 2020-05-24 21:46:55 +02:00
Thomas Patzke
32e4998c49 Removed dead code from ALA backend. 2020-05-24 21:45:37 +02:00
Thomas Patzke
24b08bbf30 Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-05-24 17:06:32 +02:00
Thomas Patzke
8d9b706d6a
Merge pull request #727 from 3CORESec/master 
Override Features
 2020-05-20 19:11:56 +02:00
vh
e8b956f575 Updated config 2020-05-20 12:35:00 +03:00
neu5ron
9e272d37b7 zeek category update and minor field updates 2020-05-19 05:02:45 -04:00
neu5ron
177f0a783b winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00
~noyan
2b72ee7b84 partial(?) fix of #762 2020-05-16 14:51:58 +03:00
Tiago Faria
2893becf8c Merge remote-tracking branch 'upstream/master' 2020-05-14 14:02:20 +01:00
Remco Hofman
37b08543ac Updated author reference in license 2020-05-11 11:47:56 +02:00
vh
fb9c5841f4 Added Humio, Crowdstrike, Corelight 2020-05-08 13:41:52 +03:00
Remco Hofman
dc96b7ffb3 Removed dependency on slugify 2020-05-08 11:40:16 +02:00
Remco Hofman
c5be83eb01 Added ee-outliers backend 2020-05-08 10:18:35 +02:00
Thomas Patzke
3b96b5e497
Merge pull request #723 from neu5ron/socprime_add_zeek_and_corelight 
sigmacs for Zeek and Corelight(Zeek)
 2020-05-06 23:22:14 +02:00
Remco Hofman
24029a8f27 Fix for broken endswith modifier 2020-05-06 17:10:54 +02:00
pdr9rc
31ad81874f capitalized titles 
corrected capitalization of titles and removed literals from config
 2020-05-05 11:32:18 +01:00
pdr9rc
aa175a7d5b wip 
wip
 2020-05-04 18:02:27 +01:00
pdr9rc
dd9e128a15 kibana target update 
kibana target now compatible with overrides
 2020-05-04 17:35:12 +01:00
pdr9rc
b32093e734 Merge remote-tracking branch 'upstream/master' 
Keeping up with the sigmas.
 2020-05-04 17:26:51 +01:00
pdr9rc
b3194e66c4 Update base.py 2020-05-04 16:37:36 +01:00
Wietze
2b3828730c Reversed disabling FileDelete 2020-05-02 17:31:50 +01:00
Wietze
e5574e07f2 Disabled FileDelete event (Sysmon 11 - no rules available yet) 2020-05-02 16:21:56 +01:00
Wietze
5abf4cbea9 Reordered fields 2020-05-02 14:46:55 +01:00
Wietze
661108903b Minor consistency fix 2020-05-02 14:37:37 +01:00
Wietze
46737cbfd3 Improved Microsoft ATP mapping, using Advanced Hunting Schema 
See https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference
 2020-05-02 14:31:02 +01:00
neu5ron
cbe5af01a1 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR.
 2020-05-02 07:23:11 -04:00
Thomas Patzke
2fafff3278 Fixed: escaping of backslashes before added * 
Fixes issue #722.
 2020-05-02 00:13:15 +02:00
pdr9rc
bc0a2c7ab9 wip 
wip
 2020-05-01 19:20:05 +01:00
pdr9rc
98391f985a wip 
wip
 2020-04-30 15:19:38 +01:00
Tiago Faria
dfdb5b9550
better description and event.outcome 2020-04-29 23:59:26 +01:00
pdr9rc
ac4a2b1f26 wip 
wip
 2020-04-29 22:55:46 +01:00
pdr9rc
9ce84a38e5 overrides section support + one example rule + cloudtrail config 
ditto
 2020-04-29 20:36:45 +01:00
alm8i
7ac685882c comments for usage 2020-04-11 15:47:23 +02:00
Danijel Grah
6312f381bf
C# backend 
Converts Sigma rule into C# Regex in LINQ query
 2020-04-10 16:12:05 +02:00
Thomas Patzke
1c5c8047fd Fixes 
* Removed commented debug print statements
* Defined nullExpression
* Removed unneeded generateMapItemNode method
* Value cleaning bug on matching of wildcard at first character
 2020-04-08 23:43:46 +02:00
Thomas Patzke
3277cec7aa Reverted list sorting 
This was already implemented meanwhile in a previous commit.
 2020-04-08 23:23:44 +02:00
Thomas Patzke
cf896c3093 Merge branch 'master' of https://github.com/abhikhnvasara/sigma into pr-630 2020-04-08 23:16:39 +02:00
Thomas Patzke
551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Thomas Patzke
7224af54b2
Merge pull request #664 from j91321/es-rule-options 
es-rule backend options for index-patterns and time interval
 2020-04-08 22:39:45 +02:00
Thomas Patzke
1b7f33f5e2 Fixed undefined value in exception handling 
Fixes issue #702.
 2020-04-08 22:28:47 +02:00
j91321
3470011ac3 Revert time interval, use index values provided by sigmaparser 2020-04-05 20:30:57 +02:00
Thomas Patzke
693830fa83 Merge pull request 659 2020-04-03 23:46:53 +02:00
Maxime Lamothe-Brassard
f92c5e9b18 Remove generation of LC rules with timeframe. 2020-04-02 15:25:30 -07:00
Florian Roth
ee7babd8cb
fix: security vulnerability with pyyaml < 4.2b1 2020-04-02 12:27:53 +02:00
Thomas Patzke
13dbb4cdbd Moved tools into sigma namespace 2020-03-31 23:46:58 +02:00
Florian Roth
6aba430de6 fix: sigma_uuid occurances 2020-03-31 16:29:58 +02:00
Florian Roth
4d67dff89a fix: renamed tools to allow for console_scripts list entries 2020-03-31 14:07:34 +02:00
Florian Roth
18e505c458 fix: list_configurations default values 2020-03-31 12:42:02 +02:00
Florian Roth
c82156a3c9 fix: second list_configurations function params 2020-03-31 11:46:05 +02:00
Florian Roth
23ce69eaae fix: functions parameters outside of main 2020-03-31 11:42:16 +02:00
Florian Roth
bb50571b13 fix: print_verbose scope 2020-03-31 11:35:21 +02:00
Florian Roth
c83b4fd37c fix: fixing script install for Windows end systems 2020-03-31 11:30:47 +02:00
Florian Roth
536ad78fc2 refactor: following best practices reg main functions in Python 
https://realpython.com/python-main-function/
 2020-03-31 11:30:14 +02:00
Thomas Patzke
d33f4b290d Dependency cleanup 
* Consolidated dependencies into main and development (MISP and test
  intergrated).
* Splitted Pipfile dependencies into main and development
* Specified compatible dependencies
 2020-03-29 22:55:09 +02:00
Florian Roth
5f0250bff5
Merge pull request #669 from 0xThiebaut/winlogbeat-rulename 
Add Winlogbeat's RuleName field to mapping
 2020-03-28 13:20:08 +01:00
Thomas Patzke
004eaf0615 Revert "do not escape u" 
This reverts commit aa112cbd44.

This was a fix for a previous bug.
 2020-03-24 23:36:12 +01:00
Thomas Patzke
5ea623506f
Merge pull request #667 from opflep/master 
Upgrade CarbonBlack backend
 2020-03-22 00:24:57 +01:00
Maxime Thiebaut
c5bdd18d8d Add Winlogbeat's RuleName field to mapping 
When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt.

```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
	<Event
		xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
		<System>
			<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
			<EventID>13</EventID>
			<Version>2</Version>
			<Level>4</Level>
			<Task>13</Task>
			<Opcode>0</Opcode>
			<Keywords>0x8000000000000000</Keywords>
			<TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/>
			<EventRecordID>160631</EventRecordID>
			<Correlation/>
			<Execution ProcessID='2156' ThreadID='3628'/>
			<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
			<Computer>win10.sec699-40.lab</Computer>
			<Security UserID='S-1-5-18'/>
		</System>
		<EventData>
			<Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data>
			<Data Name='EventType'>SetValue</Data>
			<Data Name='UtcTime'>2020-03-18 03:52:07.129</Data>
			<Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data>
			<Data Name='ProcessId'>5064</Data>
			<Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data>
			<Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data>
			<Data Name='Details'>Binary Data</Data>
		</EventData>
	</Event>
</Events>
```

When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`.
This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`.

The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed.
 2020-03-19 19:40:18 +01:00
vunx2
be6519e35d merge 2020-03-19 11:07:39 +07:00
vunx2
1025930e04 merge 2020-03-19 11:05:52 +07:00
vunx2
c627f6b381 merge 2020-03-19 11:02:10 +07:00
vunx2
2107d86900 merge 2020-03-19 10:58:30 +07:00
vunx2
0356178c50 eventdict 2020-03-19 10:49:40 +07:00
vunx2
1b12a6b261 modified: tools/sigma/backends/carbonblack.py 2020-03-19 09:00:24 +07:00
neu5ron
aa112cbd44 do not escape u 2020-03-18 08:51:38 -04:00
neu5ron
17318b48bf - fix agg_option keyword 
- remove (now) unnecessary other hardcoded `.keyword` locations
 2020-03-18 08:50:37 -04:00
vunx2
e228d42b97 clean IP subnet 2020-03-18 16:49:44 +07:00
vunx2
1df5620a14 fix cleanValue + leading wildcard + EventID Intergration 2020-03-18 16:02:44 +07:00
j91321
f0c83ae3b4 Added es-rule backend options 2020-03-15 13:03:20 +01:00
neu5ron
58ac26e531 more ECS to sigmac taxonomy for web/proxy 2020-03-14 14:57:38 -04:00
neu5ron
55bf39a2ac keyword, analyzed field, case insensitivity 2020-03-11 11:38:56 -04:00
David Szili
0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00
Abhijit Khinvasara
46bc843e51 sort the list of backends presented in sigmac help 2020-03-04 15:21:28 -08:00
Abhijit Khinvasara
9cb395823c Rework according to review comments. 2020-03-04 14:54:49 -08:00
vunx2
b070ffab74 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-03-03 10:08:31 +07:00
Thomas Patzke
a0f7da8c03 Splunk XML backend rule title 
Fixes #645
 2020-03-01 22:23:35 +01:00
vunx2
58f5fa1b8e change to github 2020-02-28 16:56:48 +07:00
vunx2
139600009b conflict 2020-02-28 16:50:30 +07:00
Thomas Patzke
65444f7a77 Release 0.16.0 2020-02-25 22:19:52 +01:00
Thomas Patzke
5a2ccbd040 Fixed ArcSight backend visibility 2020-02-24 23:27:22 +01:00
Thomas Patzke
5b42135935 Added es-rule backend to all ES configurations 2020-02-24 23:20:48 +01:00
Thomas Patzke
d9b48ea747 Fixes in es-rule backend 2020-02-24 23:20:19 +01:00
Thomas Patzke
4ee2c2762e Sorting of backend and configuration lists 2020-02-24 22:59:59 +01:00
vh
5dc30bd388 Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
vh
516e61fdb0 t 2020-02-24 19:23:11 +02:00
Abhijit Khinvasara
8ad346362c remove print statements. 2020-02-22 20:59:56 -08:00
Abhijit Khinvasara
612df1666b add LOGIQ backend. 2020-02-22 20:50:30 -08:00
Thomas Patzke
12be884aa5 Merge branch 'sql-backend' 2020-02-21 22:41:53 +01:00
Thomas Patzke
776b58b594 Improved Splunk Zeek configuration 2020-02-21 22:31:14 +01:00
Thomas Patzke
746f957a63 Merge branch 'patch-1' of https://github.com/fuseyjz/sigma into fuseyjz-patch-1 2020-02-21 22:24:44 +01:00
Thomas Patzke
3047571132
Merge pull request #625 from ninoseki/fix-sigma2misp 
Update sigma2misp
 2020-02-21 22:22:54 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Manabu Niseki
c6eb3bfbf2 Update sigma2misp 
Make enable to use with modern PyMISP
 2020-02-20 18:55:10 +09:00
james dickenson
1347e5060f logsource config for zeek events in splunk 2020-02-12 21:24:03 -08:00
vunx2
d0e9af171f cleanIPRange 2020-02-06 17:20:52 +07:00
vunx2
627f46abc2 backslash fix 2020-02-06 16:28:27 +07:00
vunx2
bc4c6ce8db cleanValue 2020-02-06 11:02:22 +07:00
vunx2
19d9e4856e clean Value + config 2020-02-05 17:47:35 +07:00
vunx2
579e7481c7 cleanValue + eventID list 2020-02-04 18:14:40 +07:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
1bc2c0b930 Deduplication of backend list 
Fixes issue #609. Added backend list debug output (class name).
 2020-02-03 22:16:00 +01:00
vunx2
2930df17d6 update sigma 2020-02-03 09:47:06 +07:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
vh
dc5a31aebc Updated Azure Sentinel backend 2020-01-31 17:17:24 +02:00
Thomas Patzke
7b4ec734a8 Using rule ids as Kibana object id 2020-01-30 11:30:01 +01:00
Thomas Patzke
7b62b931ce Moved ala-rule backend code into ala backend module 2020-01-13 11:24:46 +01:00
Thomas Patzke
de690cbfbf Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-01-13 11:19:39 +01:00
neu5ron
d8b703462d fix name of network_initiated 2020-01-13 00:12:04 -05:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Maxime Lamothe-Brassard
a3ad7cb1c5 Fixed actual event tag 2019-12-30 18:15:12 -08:00
Maxime Lamothe-Brassard
9b32086d92 Mapping OriginalFileName to event/INTERNAL_NAME now that it's available. 2019-12-30 15:58:18 -08:00
SOC Prime
92bc96a308
Update ala-rule.py 2019-12-30 16:26:30 +02:00
vh
f2117f798a Fix ala-rule 2019-12-30 16:24:08 +02:00
SOC Prime
f015c97dff
Update ala-rule.py 2019-12-30 16:13:27 +02:00
vh
f9570a48cb Azure Sentinel backend (ala) - Fixed path in query 
Added new backend Azure Sentinel Rule (ala-rule)
 2019-12-30 16:11:53 +02:00
vh
d42409372c Azure Sentinel backend (ala) - Fixed path in query 
Added new backend Azure Sentinel Rule (ala-rule)
 2019-12-30 16:09:19 +02:00
fuseyjz
0b2f88d5df
Sigma converter for SQL format 
Get the converted SQL query after the WHERE statement for any filtering on SQL platform.

Example:
https://github.com/fuseyjz/sigma-sql/blob/master/README.md
 2019-12-24 10:42:25 +08:00
christophetd
e99b0fe2d7 Add sigma2attack 2019-12-19 00:00:13 +01:00
Thomas Patzke
d2a940a0a6 Merge branch 'devel' of https://github.com/Neo23x0/sigma 2019-12-13 22:01:40 +01:00
Thomas Patzke
ee4138c48e
Merge pull request #526 from zouzias/hotfix_aggregate_count_distinct_groupby 
[feature] extend es-dsl to support nested aggregations
 2019-12-13 21:55:47 +01:00
Thomas Patzke
a25b2ec361
Merge pull request #523 from refractionPOINT/lc-added-mtd 
LC added FP metadata
 2019-12-13 21:50:52 +01:00
Thomas Patzke
b701e9be50 Added ECS proxy configuration 2019-12-09 16:34:07 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
51e9689425 Sigmatool release 0.15.0 2019-12-06 22:13:44 +01:00
Maxime Lamothe-Brassard
27bb07b74e Adding support for basic proxy rules using the HTTP_REQUEST events from the Chrome LC Agent. 2019-12-05 09:35:09 -08:00
Lep
60997b47b2 moreEventID 2019-11-28 21:34:52 +07:00
Lep
412dfc4f05 Merge branch 'master' of http://git.security.fis.vn/VuNX2/sigma 2019-11-28 17:38:57 +07:00
Lep
738008b52b requiment 2019-11-28 17:38:05 +07:00
Nguyen Xuan Vu
042d078ee1 Update requirements.txt 2019-11-28 05:26:09 -05:00
Lep
158ffd2f0c requiment 2019-11-28 17:23:05 +07:00
Lep
37257170dd postAPI 2019-11-28 16:01:24 +07:00
Lep
d08ff35222 postAPI 2019-11-28 11:45:49 +07:00
Maxime Lamothe-Brassard
61bcc46394 Prettier formatting of YAML. 2019-11-18 14:50:41 -05:00
Maxime Lamothe-Brassard
9eed57ee1d Adding the "falsepositives" field to the LC metadata. 2019-11-15 08:30:41 -05:00
Anastasios Zouzias
3c7f522017 add .keyword on aggs; add extra unit test 2019-11-14 14:34:50 +01:00
Thomas Patzke
cf22e9e576 Added hint on failed UUID check 2019-11-12 23:37:28 +01:00
Thomas Patzke
ca53e937d9 Removed sigma.output from setup packages 2019-11-12 23:11:39 +01:00
Thomas Patzke
3828f4a95c Merge branch 'uuid' into assign-ids 2019-11-12 22:46:54 +01:00
Thomas Patzke
0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Anastasios Zouzias
e7ed0fa9ea added unit test 2019-11-12 14:06:10 +01:00
Anastasios Zouzias
324005a126 [feature] extend es-dsl to support nested aggregations 2019-11-12 11:46:43 +01:00
Thomas Patzke
6d62d426c9 Added sigma-uuid tool 
* Moved SigmaYAMLDumper to new sigma.output module
 2019-11-11 23:35:16 +01:00
Florian Roth
e2628d6df6 fix: wrong mapping on thor.cfg 2019-11-11 09:20:20 +01:00
Thomas Patzke
feb836cbf2 Sigmatools release 0.14 2019-11-10 00:09:59 +01:00
Florian Roth
faeccf0c3d Merge branch 'master' into devel 2019-11-09 22:42:16 +01:00
Florian Roth
a0beda240c fix: fixed wrong field mapping in windows-audit source config 2019-11-09 22:42:00 +01:00
Thomas Patzke
2222550b6e Allow ignore of type errors with sigmac -I 2019-11-08 23:56:39 +01:00
Thomas Patzke
8f1974d7d3 Added regular expression support in es-dsl backend 2019-11-08 23:56:39 +01:00
Thomas Patzke
465e41bfbb Added regular expression support in es-dsl backend 2019-11-08 22:31:02 +01:00
Thomas Patzke
5d995ad704 sigma-similarity: primary rule set for restriction of comparison 2019-11-08 21:15:13 +01:00
Thomas Patzke
ef14ee542d Added modifiers: startswith and endswith 2019-11-05 23:04:13 +01:00
Maxime Lamothe-Brassard
1b9054c1f3 Adding some comments 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
b7018bcd4a Adding a post-mapper mechanism to fix some common issues in Sigma rules to LC. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
c2e621cf08 Fixing another edge case with string escape. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
0c6b9e532b Remove debugging statement 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
6f2f1d2bd7 Add ability to map fields and values based on callbacks. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
0b9a3f3a08 Refactor to better support keyword fields. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
9aedb8f764 Adding another exception case to get more "contains" shortcuts instead of REs. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
102ab3081b Fix the convertion from simple wildcard strings to a full regular expression so that it is always correct. The previous solution just mostly-worked. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
e52f29dda9 Fix matches operator field set to value instead of re. 2019-11-05 08:38:06 -05:00
Thomas Patzke
54c75167ce Default configurations for backends 2019-11-03 23:32:50 +01:00
Thomas Patzke
4f19ef5708 Graylog backend now derived from es-qs 
Technically, Graylog is ES. Fixes and improvements for ES didn't
propagate to Graylog, now they do.
 2019-11-02 22:56:01 +01:00
Thomas Patzke
8af2b70594 Restrict search not bound to fields to keyword fields 2019-11-02 22:55:04 +01:00
Thomas Patzke
c9eb921f68 ConditionAND/OR constructor now allows arbeitrary number of operands 2019-11-02 22:54:35 +01:00
Thomas Patzke
2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Maxime Lamothe-Brassard
f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard
2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Maxime Lamothe-Brassard
a7003c2aa3 Adding support for "unix", looking like a mistake by the creator. 2019-10-27 15:55:12 -05:00
Maxime Lamothe-Brassard
d019cef439 Ading a bit more of early support for netflow and some linux exe. 2019-10-27 15:48:28 -05:00
Maxime Lamothe-Brassard
a57a7b58cf Added conceptial support for aliasing keyworkds to a specific field depending on the log source. 2019-10-27 15:28:54 -05:00
Maxime Lamothe-Brassard
60b20a76a6 Fixing handling of unsupported sources. 2019-10-27 12:37:06 -05:00
Maxime Lamothe-Brassard
0fe72d6133 Emit error on full-text searches not being supported. 2019-10-27 12:26:36 -05:00
Maxime Lamothe-Brassard
f43300af8e Fix the top level pre-condition for Windows Event Logs on LC. 2019-10-27 12:17:15 -05:00
Maxime Lamothe-Brassard
91e48d8c1b Adding setup links and fixing test that would crash Not node, but not seen in prod rules. 2019-10-27 11:56:32 -05:00
Maxime Lamothe-Brassard
8d866b0868 Adding comments. 2019-10-26 17:37:13 -05:00
Maxime Lamothe-Brassard
bc5e9bd03a Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report. 2019-10-26 17:30:40 -05:00
Maxime Lamothe-Brassard
8cc3990aef Extending support for more random rules with odd names. 2019-10-26 16:59:33 -05:00
Maxime Lamothe-Brassard
4d65b62063 Adding support for generating rules for Windows builtin category for use in the External Logs of LC. 2019-10-26 16:30:50 -05:00
Maxime Lamothe-Brassard
30cc7ee809 Refactor mappings into a flat structure to account for missing parameters in some combinations. 2019-10-26 16:09:39 -05:00
Maxime Lamothe-Brassard
77329714c5 Adding service to indirection of mappings since it will be used for Windows Event Logs. 2019-10-26 16:06:42 -05:00
Maxime Lamothe-Brassard
823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard
bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
Thomas Patzke
30948b9c1a Added sigma-similarity tool 
Fixed also bug in backend base class that was triggered by the way
backends are used by this tool.
 2019-10-25 21:59:03 +02:00