Commit Graph

239 Commits

Author SHA1 Message Date
Thomas Patzke
805c739611 Merge branch 'devel-modifiers' 2019-07-31 23:44:10 +02:00
Thomas Patzke
31c6ffcb61 No escaping for typed values 2019-07-31 23:43:29 +02:00
Thomas Patzke
8a3117d73e Nested list handling for chained value modifiers 2019-07-16 23:03:19 +02:00
Thomas Patzke
6881967889 Further modifiers
* base64
* base64offset
2019-07-16 00:00:35 +02:00
Thomas Patzke
1bb29dca26 Implemented type modifiers and regular expressions 2019-07-15 22:52:10 +02:00
Thomas Patzke
5489f870cc
Merge pull request #393 from HacknowledgeCH/master
Explicit OR for list elements
2019-07-13 23:11:44 +02:00
Thomas Patzke
134bfebe57 Ignore "timeframe" detection keyword in "all/any of" conditions
Fixes #395
2019-07-13 00:35:35 +02:00
christophetd
576912eb7a Support OR queries for Elasticsearch 6 and above 2019-07-08 17:12:53 +02:00
Florian Roth
f7ba2b3976 fix: bug in sumologic backend with 'null' values 2019-07-02 22:31:10 +02:00
Thomas Patzke
337681cfce Value modifiers
* First transformation modfiers: contains, all
* Sigma converter modifier list
2019-06-30 23:41:28 +02:00
Thomas Patzke
6fab5d7f23 Improved testing and removed dead&debug code 2019-06-29 00:09:53 +02:00
Thomas Patzke
377872c91e Merge branch 'devel-sumo' of https://github.com/juju4/sigma into juju4-devel-sumo 2019-06-28 23:39:15 +02:00
Thomas Patzke
0c7151c901 Watcher backend default options, refactoring and testing 2019-06-28 23:22:16 +02:00
Adrian Constantin Stanila
feac0be8a4 Added 2 more actions on Elasticsearch X-pack Watcher: index and webhook
Added timestamp filter query.
2019-06-27 08:54:59 +03:00
juju4
654a009c9e sumologic backend: remove TypeError 2019-06-22 16:49:46 -04:00
juju4
559d0f4ba8 sumologic backend: force as string 2019-06-22 16:43:50 -04:00
juju4
2df0e9765c sumologic backend: pycodestyle review - E501 2019-06-22 16:41:57 -04:00
juju4
49533a5909 sumologic backend: pycodestyle review 2019-06-22 16:39:13 -04:00
juju4
84de12635e self.debug option, fix multiple keyvalue escapings/cleanValue, inline index for now 2019-06-22 16:19:45 -04:00
juju4
a11d800353 Merge branch 'master' into devel-sumo 2019-06-22 09:18:23 -04:00
Thomas Patzke
673973e523
Merge pull request #357 from agix/es_dsl_bug
fix missing condition when unique plus timeframe
2019-05-30 22:42:09 +02:00
Thomas Patzke
8023011bb1 Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend 2019-05-30 22:33:57 +02:00
Florian GAULTIER
89c1d7b63d Wrong fix, self.queries should be emptied after copied to rule_object 2019-05-29 16:10:14 +02:00
Florian GAULTIER
748ac2e206 Dont combine multiple queries 2019-05-29 16:05:53 +02:00
Thomas Patzke
04d91573f3
Merge pull request #355 from agix/allow_empty_keyword
Allow empty keyword_field
2019-05-28 21:45:55 +02:00
Thomas Patzke
2ecc55c13f
Merge pull request #351 from ipninichuck/master
added metadata field to the watcher alert
2019-05-28 21:42:27 +02:00
Florian GAULTIER
d866e75750 Be sure there is a key in the single condition 2019-05-27 17:27:16 +02:00
Florian GAULTIER
e8a7c5f7b9 fix missing condition when unique plus timeframe 2019-05-27 17:22:28 +02:00
Florian GAULTIER
6bf010fb4b introduce elastalert-dsl
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
2019-05-27 17:18:19 +02:00
Florian GAULTIER
4168c0ec64 Allow empty keyword_field 2019-05-27 15:08:33 +02:00
Thomas Patzke
eb9564557e Moved generic class discovery code into new tools module 2019-05-26 22:29:07 +02:00
Thomas Patzke
84690280c5 Improved behavior on missing configuration
Listing all configus usable with chosen backend
2019-05-24 22:41:47 +02:00
ipninichuck
75ec169d5c
added metadata field to the watcher alert
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
2019-05-22 04:30:47 -07:00
Thomas Patzke
194afa739f Generate rule name for each condition
In backends kibana and xpack-watcher.

Fixes #329
2019-05-21 00:36:19 +02:00
Thomas Patzke
af0bd1b082 Removed debug code from backend option handling
Additionally: code simplification
2019-05-21 00:21:52 +02:00
Thomas Patzke
7e163d71eb Added option to use old URL in xpack-watcher backend 2019-05-21 00:01:21 +02:00
Thomas Patzke
4e63e925cf Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1 2019-05-20 23:43:49 +02:00
Thomas Patzke
e271484eef Load configurations via new config management 2019-05-20 00:27:35 +02:00
Thomas Patzke
3d20e0bc98 Sigma configuration management with listing
Missing:
* Use config by identifier
2019-05-17 09:13:59 +02:00
Thomas Patzke
71ff6bd943 Catch type errors in configuration handling 2019-05-16 23:34:44 +02:00
lliknart
f86342012a
Update elasticsearch.py
From ElasticSearch 7.0, the URI to access to Watcher API changes

Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
2019-05-16 16:17:57 +02:00
Florian Roth
a6d2a5d79b fix: more general fixes of the var type issue 2019-05-15 21:25:53 +02:00
Florian Roth
9f1bbb0a0d fix: missing type check in WDATP backend 2019-05-15 21:20:20 +02:00
Thomas Patzke
526468bec3
Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
2019-05-10 00:31:33 +02:00
Thomas Patzke
a361664ed2
Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix
Correct parenthesization for NOT expressions in the ES-QS backend
2019-05-10 00:14:29 +02:00
Thomas Patzke
eb022f3908 Conditional field mapping for null values
Fixes #326
2019-04-25 23:24:05 +02:00
Thomas Patzke
cfb4f32651 Backend es-dsl tolerates rules without title and log source 2019-04-25 22:41:31 +02:00
Thomas Patzke
6918784e87 Configuration order checking 2019-04-23 00:54:10 +02:00
Thomas Patzke
d0bd8a2a41 Mandatory configuration for most backends 2019-04-22 23:40:21 +02:00
christophetd
4e16bbafa8 Correct parenthesization for NOT expressions in the ES-QS backend 2019-04-16 10:30:18 +02:00