SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00

Author	SHA1	Message	Date
Thomas Patzke	776b58b594	Improved Splunk Zeek configuration	2020-02-21 22:31:14 +01:00
Thomas Patzke	48d95f027c	Merge branch 'oscd'	2020-02-20 23:11:57 +01:00
james dickenson	1347e5060f	logsource config for zeek events in splunk	2020-02-12 21:24:03 -08:00
Thomas Patzke	d7bd90cb24	Merge branch 'master' into oscd	2020-02-03 23:13:16 +01:00
neu5ron	d8b703462d	fix name of network_initiated	2020-01-13 00:12:04 -05:00
Thomas Patzke	8d6a507ec4	OSCD QA wave 1 * Checked all rules against Mordor and EVTX samples datasets * Added field names * Some severity adjustments * Fixes	2020-01-11 00:11:27 +01:00
Thomas Patzke	b701e9be50	Added ECS proxy configuration	2019-12-09 16:34:07 +01:00
Thomas Patzke	991108e64d	Further proxy field name fixes (config + rules)	2019-12-07 00:23:30 +01:00
Florian Roth	e2628d6df6	fix: wrong mapping on thor.cfg	2019-11-11 09:20:20 +01:00
Florian Roth	a0beda240c	fix: fixed wrong field mapping in windows-audit source config	2019-11-09 22:42:00 +01:00
Maxime Lamothe-Brassard	2873e1ded3	Small refactors to make more readable and remove deprecated code paths to increase coverage.	2019-10-28 10:49:05 -05:00
Maxime Lamothe-Brassard	823d86c7d9	Remove unimplemented config entries and fix bug with valueNode.	2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard	bba43c7a86	First draft of support for LimaCharlie D&R rules.	2019-10-26 15:45:48 -05:00
neu5ron	a729cc7905	create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js ) sigmac conversion	2019-10-01 10:16:42 -04:00
neu5ron	f7fd936433	update HELK config taxonomy/mapping for sigmac conversion	2019-10-01 10:14:54 -04:00
ecco	4c5eab88b6	add GroupSid to other configs	2019-09-11 04:53:30 -04:00
ecco	5ae46ac56d	rule: user added to local administrator: handle non english systems by using group sid instead of name	2019-09-06 06:21:42 -04:00
Thomas Patzke	de5e2045f0	Merge pull request #428 from stevengoossensB/master AQL field selection from signatures	2019-09-05 10:28:02 +02:00
Thomas Patzke	37e179b6a7	Merge pull request #390 from juju4/devel-sumo2 sumologic backend: fix index and full mapping coverage	2019-09-05 10:27:19 +02:00
Steven Goossens	cb088e4911	Remove quotes from around the fields to make the query semantically correct	2019-08-26 12:43:26 +00:00
Steven Goossens	ad19f05e2c	Include mapped names rather then signature names	2019-08-26 12:06:20 +00:00
svent	826c1e3942	Fix QRadar backend config	2019-08-12 23:47:43 +02:00
Thomas Patzke	b9ff280209	Cleanup of configuration names	2019-07-14 00:50:15 +02:00
juju4	10290beb54	config/sumologic: more index mappings	2019-07-06 12:42:12 -04:00
juju4	7b0cace217	config/sumologic: more index mappings	2019-07-06 12:42:05 -04:00
Thomas Patzke	161965d14c	Added version information to Winlogbeat configs	2019-06-30 22:44:12 +02:00
herrBez	74021d53d8	Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html	2019-06-30 12:13:21 +02:00
Thomas Patzke	f4da0c5540	Added field SecurityID to Winlogbeat config	2019-06-19 23:35:50 +02:00
David Vassallo	fdce7ad9bf	Addition of KeyLength field	2019-06-14 17:58:47 +03:00
Thomas Patzke	5715413da9	Usage of Channel field name in ELK Windows config	2019-06-11 13:15:43 +02:00
Florian GAULTIER	6bf010fb4b	introduce elastalert-dsl (cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)	2019-05-27 17:18:19 +02:00
Thomas Patzke	11ed7e7ef8	Check for valid configuration/backend combinations	2019-05-20 01:00:33 +02:00
Thomas Patzke	36aeb19721	Added title to all configurations	2019-05-16 23:33:51 +02:00
Codehardt	8cf505fcb3	Accidentally removed windows-dhcp logsource in spark's config file	2019-04-25 08:23:48 +02:00
Codehardt	79f7edb6b4	Added logsources for generic sigma rules to spark config, renamed spark config to thor config	2019-04-25 08:15:50 +02:00
Thomas Patzke	6918784e87	Configuration order checking	2019-04-23 00:54:10 +02:00
Thomas Patzke	c922f7d73f	Merge branch 'master' into project-1	2019-02-26 00:24:46 +01:00
Florian Roth	004497075d	fix: spark source config bug	2019-02-12 23:27:38 +01:00
neu5ron	046510f021	updated HELK Destination IP name	2019-02-05 13:11:06 -05:00
Florian Roth	a276d3083d	DHCP log source in sigmac configs	2019-02-05 14:35:23 +01:00
Thomas Patzke	516bfc88ff	Added rule: RDP login from localhost	2019-01-28 22:43:22 +01:00
Thomas Patzke	3eaf83cf5a	Improved configurations Added Security/4688 field mappings	2019-01-16 23:37:18 +01:00
Thomas Patzke	ba64f485ac	Added generic Windows audit log configuration	2019-01-16 22:41:42 +01:00
Thomas Patzke	a9cf14438c	Merge branch 'master' into project-1	2019-01-14 22:36:15 +01:00
Thomas Patzke	5cba0b9946	Merge pull request #223 from m0jtaba/master extending the qradar backend to allow for timeframe query	2019-01-13 23:55:55 +01:00
Mo Amiri	aa37ef2559	extending the qradar backend to allow for timeframe query	2019-01-11 03:33:49 +00:00
Adrien Vergé	44f18db80d	Fix YAML errors reported by yamllint Especially the config for ArcSight, that was invalid: tools/config/arcsight.yml 89:5 error duplication of key "product" in mapping (key-duplicates) 90:5 error duplication of key "conditions" in mapping (key-duplicates) rules/windows/builtin/win_susp_commands_recon_activity.yml 10:9 error too many spaces after colon (colons)	2019-01-10 09:51:39 +01:00
Roberto Rodriguez	a0486edeea	Field-Index Mapping File & SIGMA Rules Field names fix + Updated HELK field-index mapping file + After going through all the fields with 'fieldlist' output, I found a few rules that fixed.	2018-12-11 09:27:26 +03:00
Thomas Patzke	68866433e8	Merge branch 'juju4-devel-sumo'	2018-12-10 22:37:58 +01:00
Thomas Patzke	4175d0cdd5	Fixed config and added index field * Added index field _index to backend implementation * Fixed index values in config	2018-12-10 22:37:39 +01:00

1 2

94 Commits