valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,750 Commits 20 Branches 25 Tags 21 MiB
654a009c9e
Commit Graph

224 Commits

Author SHA1 Message Date
tuckner
c5796d7853 Added Azure Log Analytics backend 2019-03-04 10:49:50 -06:00
tuckner
8179d182c4 added azure log analytics 2019-03-04 10:44:45 -06:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
christophetd
1a6faf385c Add HTTP POST alert type to the Elastalert backend 2019-02-23 14:12:14 +01:00
christophetd
3a7160d52b Accept backend options from a configuration file (closes #213) 2019-02-23 13:20:20 +01:00
Thomas Patzke
9ef314486e Grep backend escapes + 2019-02-19 14:49:06 +01:00
Thomas Patzke
01dfc23a26
Merge pull request #234 from juju4/devel-sumo 
Sumologic support update
 2019-02-09 23:54:23 +01:00
juju4
4429d7564f remove 'escape' of '_' - not needed 2019-02-09 12:57:43 -05:00
juju4
a815b7eb9b add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string 2019-02-09 12:57:07 -05:00
sisecbe
5d94b9f0bc
Changed stats to eventstats 
Changed 'stats' to 'eventstats' when using aggregation, this keeps the original data of the event in the result.
 2019-02-05 17:36:46 +01:00
sisecbe
2f5eb08b41
Adapt count function when aggfield not present 
When no field is present, use "count" , when field is present use "dc(field)". As described in the Sigma specifications.
Splunk throws errors when using "count()" with empy fields. use "count" instead.
 2019-02-05 15:44:05 +01:00
juju4
7d159fb980 sumologic backend: review with inspiration from arcsight 2019-02-03 12:53:58 -05:00
Thomas Patzke
6215a694a8 Remove escaping from '\\*' in es-dsl backend 2019-02-02 23:51:11 +01:00
Thomas Patzke
8a0784ad33 Fixed escaping of \\* 2019-02-02 00:18:58 +01:00
Thomas Patzke
2fd88c837d Added generic sigma rule support to WDATP backend 
* Process creation rules
 2019-01-14 23:54:05 +01:00
Thomas Patzke
4e83bfeb16 Fixed merge bugs 2019-01-14 22:54:26 +01:00
Thomas Patzke
a9cf14438c Merge branch 'master' into project-1 2019-01-14 22:36:15 +01:00
Mo Amiri
aa37ef2559 extending the qradar backend to allow for timeframe query 2019-01-11 03:33:49 +00:00
Thomas Patzke
73b0c3a25b Fixed wildcard issue for es-dsl backend 
Moved field mapping code into mixin shared by es-qs and es-dsl.
 2018-12-21 14:10:45 +01:00
Thomas Patzke
ffd43823cf Fixed wildcard issue in es-qs backend and depending 
See GitHub issue #194. Fix for es-dsl is pending.
 2018-12-19 00:33:12 +01:00
Thomas Patzke
4175d0cdd5 Fixed config and added index field 
* Added index field _index to backend implementation
* Fixed index values in config
 2018-12-10 22:37:39 +01:00
juju4
1f707cb37c Adding Sumologic backend 2018-12-09 17:55:51 -05:00
Thomas Patzke
2091c90538 Fixed ElastAlert *_key options 
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
 2018-12-09 22:33:23 +01:00
Thomas Patzke
246ad7c59a Revert "Fixed wildcards in es-qs backend" 
This reverts commit 49d464f979.

The partial fix for issue #194 broke the generation of many other rules,
see #203.
 2018-12-05 09:07:07 +01:00
Thomas Patzke
f9d9d653dc
Merge pull request #199 from sisecbe/patch-1 
Distinct count in aggragation function
 2018-12-04 23:42:16 +01:00
Florian Roth
2bf0170956
Merge pull request #202 from tuckner/master 
Fixed backslash escape
 2018-12-03 22:22:53 +01:00
tuckner
2c5c92ab0a fixed backslash escape 2018-12-03 15:09:29 -06:00
lsoumille
50c74b94bc add elastalert backend support 2018-11-23 20:39:15 +01:00
sisecbe
c848c473a3
Error when empty fields attribute 2018-11-23 15:37:42 +01:00
sisecbe
31eae25756
Indentation error 2018-11-23 15:20:17 +01:00
sisecbe
e43909678e
Added the fields attribute parser 
Make a table with the fields present in the fields attribute
 2018-11-23 15:11:12 +01:00
sisecbe
c2eb87133d
Distinct count in aggragation function 
Added dc() instead of count() when group-by field is present. Because count() doesn't do a distinct count in Splunk. Must be the dc() function instead.
 2018-11-23 15:04:08 +01:00
Thomas Patzke
aa1a953a65 Moved node dumping code to generic location 2018-11-21 23:22:38 +01:00
Thomas Patzke
26d888aec3 Removed "not null" handling code 
Feature was removed some time ago.
 2018-11-21 22:56:48 +01:00
Thomas Patzke
9e28669c33 Backend es-qs return quotes on empty or whitespace-only string 2018-11-21 22:29:12 +01:00
Thomas Patzke
49d464f979 Fixed wildcards in es-qs backend 2018-11-20 23:23:54 +01:00
Thomas Patzke
396a030ed1 Removed duplicate code 2018-11-07 22:52:12 +01:00
Thomas Patzke
116a0e9f03 Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master 2018-11-07 22:27:41 +01:00
Thomas Patzke
5053cc4e95 Fixed optimizing of not conditions with subexpressions 
Optimization pass traversal is cut at ConditionNOT nodes.
 2018-11-07 13:54:45 +01:00
Thomas Patzke
a88b1e81ec Optimizer debugging code cleanup 
* Removed commented debugging code
* Output to stdin
* Coverage exception for _dumpNode
 2018-11-07 13:49:08 +01:00
Thomas Patzke
42ed8acec9 Improved test coverage 
* Adding tests
* Removal of coverage measurement for debugging code
 2018-11-04 23:28:40 +01:00
Thomas Patzke
418f8d10a3 Wrap conditions generated by mappings into sub-expression 2018-11-04 23:00:04 +01:00
Thomas Patzke
0e4842962b Added tests 2018-11-04 22:16:20 +01:00
tuckner
ca6ba4a85b Added NetWitness backend and tests 2018-10-31 14:24:14 -05:00
tuckner
26f73d60fa Added NetWitness backend and tests 2018-10-31 14:07:59 -05:00
Thomas Patzke
eacfaa7460 Check for forbidden null values in list items in Splunk backend 2018-10-27 01:07:03 +02:00
Thomas Patzke
0cc8b77307 Merge branch 'master' of https://github.com/pivotforensics/sigma into pivotforensics-master 2018-10-18 15:56:26 +02:00
ntim
e501c4a5b9 Added additional output type 'json' to the xpack-watcher backend which prints each watcher as compress json, one watcher per line 2018-10-17 10:38:56 +02:00
Thomas Patzke
265ce115a0 Fixed conditional field mapping usage in mapping chains 2018-10-16 13:57:51 +02:00
Michael H
5b33713ef8 Quick fix for string formatting bug 2018-10-13 20:21:37 -05:00
Michael H
38ec257f7e Re-doing LogName formatting 2018-10-13 20:18:57 -05:00
Michael H
9f48265eb1 Adding re.sub for LogName that accounts for expression grouping 2018-10-13 20:09:54 -05:00
Michael H
aabaa0257b Merge branch 'master' of https://github.com/Neo23x0/sigma 2018-10-06 20:12:15 -05:00
Michael H
4b85a34b34 Added CSV option to powershell backend 2018-10-06 20:08:20 -05:00
Thomas Patzke
e28bc35cad Apply field mappings in generation of log source condition 2018-10-06 23:38:35 +02:00
Daniel Roethlisberger
fc45df144c Improve the comments on the optimizer 2018-10-03 13:44:03 +02:00
Daniel Roethlisberger
87aa1b5521 Move optimizer to sigma.parser.condition to enable it for all backends 2018-10-03 00:24:31 +02:00
Daniel Roethlisberger
cd3661b60c Fix optimization of NOT corner cases 2018-10-02 22:48:33 +02:00
Daniel Roethlisberger
bed88cf813 Make uniq work for lists within definitions 2018-10-02 22:12:54 +02:00
Daniel Roethlisberger
7165128fa5 Remove None from AST - fixes None-related test failures 2018-10-02 21:44:37 +02:00
Daniel Roethlisberger
2242fc5ac8 Optimize the boolean expressions in the AST before generating output 
Add code optimizing the boolean expressions in the abstract syntax tree
before generating output using the backend.

The main idea behind optimizing the AST is that less repeated terms is
generally better for backend performance.  This is especially relevant
to backends that do not perform any query language optimization down
the road, such as those that generate code.

The following optimizations are currently performed:

-   Removal of empty OR(), AND()
-   OR(X), AND(X)                 =>  X
-   OR(X, X, ...), AND(X, X, ...) =>  OR(X, ...), AND(X, ...)
-   OR(X, OR(Y))                  =>  OR(X, Y)
-   OR(AND(X, ...), AND(X, ...))  =>  AND(X, OR(AND(...), AND(...)))
-   NOT(NOT(X))                   =>  X

A common example for when these suboptimal rules actually occur in
practice is when a rule has multiple alternative detections that are
OR'ed together in the condition, and all of the detections include a
common element, such as the same EventID.

This implementation is not optimized for performance and will perform
poorly on very large expressions.
 2018-10-02 21:14:25 +02:00
Karneades
468af42de5 Add missing event id list handling in PowerShell backend 2018-09-29 14:43:28 +02:00
Karneades
c289484c5c Improve default field handling in PowerShell backend 2018-09-29 12:29:44 +02:00
Karneades
c66b00356d Add initial version of PowerShell backend 
* Add PowerShell backend
* Add PowerShell config file

State: Work in progress :)

See https://github.com/Neo23x0/sigma/issues/94
 2018-09-23 21:41:48 +02:00
Thomas Patzke
2fbf17ff34 Addition and resolution of field mapping chains explicitely checks for list 2018-09-13 16:22:29 +02:00
Thomas Patzke
41a8ef2fd9 Implemented resolve_fieldname in FieldMappingChain 2018-09-13 14:56:31 +02:00
Thomas Patzke
2330306db1 Added merged field mapping and log sources dict to config chain 2018-09-13 14:55:05 +02:00
Thomas Patzke
ba76f04fe6 Merging of raw configurations in configuration chains 2018-09-13 13:49:36 +02:00
Thomas Patzke
d81946df39 Stacked configurations 
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration

Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
 2018-09-12 23:40:22 +02:00
Thomas Patzke
210f7ac044 Rewrote logsource definition merging to set generator 2018-09-12 22:29:51 +02:00
Thomas Patzke
f3c60a6309 Added tag filtering to sigmac 2018-09-06 00:57:54 +02:00
Thomas Patzke
7f875af1ca Fixed WDATP backend 
It never generated any output due to missing return in generate()
method.
 2018-09-06 00:31:40 +02:00
Thomas Patzke
1d7722c1cb Added configuration and field mapping chains 
Missing: field name mapping of log source conditions.
 2018-08-27 00:17:27 +02:00
James Dickenson
29bed766dd removed re-introduced output class from qradar backend. fixed list handling error. 2018-08-21 22:45:12 -07:00
James Dickenson
468f040c0a Merge branch 'qradar-dev' 2018-08-20 21:54:30 -07:00
James Dickenson
9a61f40cef added support flor flow data in qradar backend 2018-08-16 21:44:17 -07:00
James Dickenson
a8d1831382 Added aggregation support for qradar backend 2018-08-13 23:04:10 -07:00
Thomas Patzke
dce4b4825d Fixed aggregations without field name 
Generated query contained field name "None".
 2018-08-10 15:07:07 +02:00
Thomas Patzke
e0b3f91b2a Removed empty line 2018-08-08 23:15:13 +02:00
Thomas Patzke
af9f636199 Removal of backend output classes 
Breaking change: Instead of feeding the output class with the results,
they are now returned as strings (*Backend.generate()) or list
(SigmaCollectionParser.generate()). Users of the library must now take
care of the output to the terminal, files or wherever Sigma rules should
be pushed to.
 2018-08-02 22:41:32 +02:00
Thomas Patzke
1c9d0a176e Moved const_start into class definition 2018-07-28 23:51:33 +02:00
Thomas Patzke
df74460629 Fixed imports after config split 2018-07-27 23:54:18 +02:00
Thomas Patzke
e02af9aa37 Merge config split branches 2018-07-27 23:16:50 +02:00
Thomas Patzke
eb440b3357 Split config - code removal from configuration 2018-07-27 23:02:35 +02:00
Thomas Patzke
36ada66007 Split config - Copy configuration 2018-07-27 23:01:41 +02:00
Thomas Patzke
920c4b061d Split config - code removal from filter 2018-07-27 22:35:30 +02:00
Thomas Patzke
d235a9e017 Split config - Copy filter 2018-07-27 00:23:22 +02:00
Thomas Patzke
50a6a92d20 Split config - code removal from exceptions 2018-07-27 00:17:35 +02:00
Thomas Patzke
405bc4a0d1 Split config - Copy exception 2018-07-27 00:17:13 +02:00
Thomas Patzke
096bc35447 Split config - code removal from mapping 2018-07-27 00:15:14 +02:00
Thomas Patzke
4ffbb25960 Split config - Copy mapping 2018-07-27 00:13:19 +02:00
Thomas Patzke
1c4c67053c Fixes for parser split 
* Fixed imports
* Rename
 2018-07-27 00:02:07 +02:00
Thomas Patzke
88a4a5d36a Merge parser split branches 2018-07-26 23:42:09 +02:00
Thomas Patzke
595327ace4 Split parser - code removal from condition 2018-07-26 23:40:22 +02:00
Thomas Patzke
c8043368bd Split parser - code removal from rule 2018-07-26 22:43:49 +02:00
Thomas Patzke
294ca20350 Split parser - code removal from collection 2018-07-26 22:28:33 +02:00
Thomas Patzke
3a0de01bad Split parser - code removal from base 2018-07-26 22:22:21 +02:00
Thomas Patzke
b9425d13df Split parser - code removal from exceptions 2018-07-26 22:18:21 +02:00
Thomas Patzke
e550bf5c3b Split parser - Copy base 2018-07-26 22:15:04 +02:00
Thomas Patzke
a2329de03c Split parser - Copy rule 2018-07-26 22:07:38 +02:00