Thomas Patzke
805c739611
Merge branch 'devel-modifiers'
2019-07-31 23:44:10 +02:00
Thomas Patzke
31c6ffcb61
No escaping for typed values
2019-07-31 23:43:29 +02:00
Thomas Patzke
8a3117d73e
Nested list handling for chained value modifiers
2019-07-16 23:03:19 +02:00
Thomas Patzke
6881967889
Further modifiers
...
* base64
* base64offset
2019-07-16 00:00:35 +02:00
Thomas Patzke
1bb29dca26
Implemented type modifiers and regular expressions
2019-07-15 22:52:10 +02:00
Thomas Patzke
5489f870cc
Merge pull request #393 from HacknowledgeCH/master
...
Explicit OR for list elements
2019-07-13 23:11:44 +02:00
Thomas Patzke
134bfebe57
Ignore "timeframe" detection keyword in "all/any of" conditions
...
Fixes #395
2019-07-13 00:35:35 +02:00
christophetd
576912eb7a
Support OR queries for Elasticsearch 6 and above
2019-07-08 17:12:53 +02:00
Florian Roth
f7ba2b3976
fix: bug in sumologic backend with 'null' values
2019-07-02 22:31:10 +02:00
Thomas Patzke
337681cfce
Value modifiers
...
* First transformation modfiers: contains, all
* Sigma converter modifier list
2019-06-30 23:41:28 +02:00
Thomas Patzke
6fab5d7f23
Improved testing and removed dead&debug code
2019-06-29 00:09:53 +02:00
Thomas Patzke
377872c91e
Merge branch 'devel-sumo' of https://github.com/juju4/sigma into juju4-devel-sumo
2019-06-28 23:39:15 +02:00
Thomas Patzke
0c7151c901
Watcher backend default options, refactoring and testing
2019-06-28 23:22:16 +02:00
Adrian Constantin Stanila
feac0be8a4
Added 2 more actions on Elasticsearch X-pack Watcher: index and webhook
...
Added timestamp filter query.
2019-06-27 08:54:59 +03:00
juju4
654a009c9e
sumologic backend: remove TypeError
2019-06-22 16:49:46 -04:00
juju4
559d0f4ba8
sumologic backend: force as string
2019-06-22 16:43:50 -04:00
juju4
2df0e9765c
sumologic backend: pycodestyle review - E501
2019-06-22 16:41:57 -04:00
juju4
49533a5909
sumologic backend: pycodestyle review
2019-06-22 16:39:13 -04:00
juju4
84de12635e
self.debug option, fix multiple keyvalue escapings/cleanValue, inline index for now
2019-06-22 16:19:45 -04:00
juju4
a11d800353
Merge branch 'master' into devel-sumo
2019-06-22 09:18:23 -04:00
Thomas Patzke
673973e523
Merge pull request #357 from agix/es_dsl_bug
...
fix missing condition when unique plus timeframe
2019-05-30 22:42:09 +02:00
Thomas Patzke
8023011bb1
Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend
2019-05-30 22:33:57 +02:00
Florian GAULTIER
89c1d7b63d
Wrong fix, self.queries should be emptied after copied to rule_object
2019-05-29 16:10:14 +02:00
Florian GAULTIER
748ac2e206
Dont combine multiple queries
2019-05-29 16:05:53 +02:00
Thomas Patzke
04d91573f3
Merge pull request #355 from agix/allow_empty_keyword
...
Allow empty keyword_field
2019-05-28 21:45:55 +02:00
Thomas Patzke
2ecc55c13f
Merge pull request #351 from ipninichuck/master
...
added metadata field to the watcher alert
2019-05-28 21:42:27 +02:00
Florian GAULTIER
d866e75750
Be sure there is a key in the single condition
2019-05-27 17:27:16 +02:00
Florian GAULTIER
e8a7c5f7b9
fix missing condition when unique plus timeframe
2019-05-27 17:22:28 +02:00
Florian GAULTIER
6bf010fb4b
introduce elastalert-dsl
...
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
2019-05-27 17:18:19 +02:00
Florian GAULTIER
4168c0ec64
Allow empty keyword_field
2019-05-27 15:08:33 +02:00
Thomas Patzke
eb9564557e
Moved generic class discovery code into new tools module
2019-05-26 22:29:07 +02:00
Thomas Patzke
84690280c5
Improved behavior on missing configuration
...
Listing all configus usable with chosen backend
2019-05-24 22:41:47 +02:00
ipninichuck
75ec169d5c
added metadata field to the watcher alert
...
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
2019-05-22 04:30:47 -07:00
Thomas Patzke
194afa739f
Generate rule name for each condition
...
In backends kibana and xpack-watcher.
Fixes #329
2019-05-21 00:36:19 +02:00
Thomas Patzke
af0bd1b082
Removed debug code from backend option handling
...
Additionally: code simplification
2019-05-21 00:21:52 +02:00
Thomas Patzke
7e163d71eb
Added option to use old URL in xpack-watcher backend
2019-05-21 00:01:21 +02:00
Thomas Patzke
4e63e925cf
Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1
2019-05-20 23:43:49 +02:00
Thomas Patzke
e271484eef
Load configurations via new config management
2019-05-20 00:27:35 +02:00
Thomas Patzke
3d20e0bc98
Sigma configuration management with listing
...
Missing:
* Use config by identifier
2019-05-17 09:13:59 +02:00
Thomas Patzke
71ff6bd943
Catch type errors in configuration handling
2019-05-16 23:34:44 +02:00
lliknart
f86342012a
Update elasticsearch.py
...
From ElasticSearch 7.0, the URI to access to Watcher API changes
Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
2019-05-16 16:17:57 +02:00
Florian Roth
a6d2a5d79b
fix: more general fixes of the var type issue
2019-05-15 21:25:53 +02:00
Florian Roth
9f1bbb0a0d
fix: missing type check in WDATP backend
2019-05-15 21:20:20 +02:00
Thomas Patzke
526468bec3
Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url
...
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
2019-05-10 00:31:33 +02:00
Thomas Patzke
a361664ed2
Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix
...
Correct parenthesization for NOT expressions in the ES-QS backend
2019-05-10 00:14:29 +02:00
Thomas Patzke
eb022f3908
Conditional field mapping for null values
...
Fixes #326
2019-04-25 23:24:05 +02:00
Thomas Patzke
cfb4f32651
Backend es-dsl tolerates rules without title and log source
2019-04-25 22:41:31 +02:00
Thomas Patzke
6918784e87
Configuration order checking
2019-04-23 00:54:10 +02:00
Thomas Patzke
d0bd8a2a41
Mandatory configuration for most backends
2019-04-22 23:40:21 +02:00
christophetd
4e16bbafa8
Correct parenthesization for NOT expressions in the ES-QS backend
2019-04-16 10:30:18 +02:00