valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
573 Commits 20 Branches 25 Tags 21 MiB
8336929d76
Commit Graph

127 Commits

Author SHA1 Message Date
Thomas Patzke
8336929d76 XPack Watcher Backend: Improved aggregation capabilities 
* Aggregation with "...count(field)...", "...by field..." and
  combination of both
* Still only count() supported
 2018-02-08 22:17:35 +01:00
Thomas Patzke
4762a1cc30 Removed abandoned SigmaAggregationParser.trans_timeframe() method 2018-02-05 23:30:00 +01:00
Thomas Patzke
ec3f0f6d60 Fixed before/after logic 
If nothing was generated "None" was printed.
 2018-02-01 22:49:02 +01:00
Thomas Patzke
76bdcba71f Added rulecomment option to all single-query output backends 
Prints comment with rule before output.
 2018-01-27 23:48:10 +01:00
Thomas Patzke
7708a538f4 New PyPI release 2017-12-14 22:40:31 +01:00
Thomas Patzke
fc2dd90aaf Skipping dotfiles 2017-12-14 22:39:51 +01:00
Thomas Patzke
497496fdf1 New release 2017-12-13 00:28:50 +01:00
Thomas Patzke
f3d19f394e Fixed encoding issues 
Some OS environments don't use UTF-8 as default encoding. Enforced it
for output files and stdout.
 2017-12-13 00:12:56 +01:00
Thomas Patzke
19cc299c57 Added PyPI README 2017-12-09 22:13:25 +01:00
Thomas Patzke
fd7b7bb438 Fixed build 
Reference to main README
 2017-12-09 08:57:51 +01:00
Thomas Patzke
da9127276c PyPI release documentation 2017-12-09 00:23:34 +01:00
Thomas Patzke
d6526387d3 Renamed PyPI package 2017-12-09 00:15:34 +01:00
Thomas Patzke
d82a78fa3d Finalizing PyPI release 
* Removed .py suffix from command line tools
* sigmac tells when it does nothing and prints usage notice
* Makefile upload target
* minor changes
 2017-12-08 23:50:08 +01:00
Thomas Patzke
09d40ab2da Finished packaging and refactoring 2017-12-08 22:32:39 +01:00
Thomas Patzke
68d8afe4e6 Intermediate refactoring commit: moving code into package 
Further splitting sigma.py into smaller parts.
 2017-12-08 21:45:05 +01:00
Thomas Patzke
11f52b981b Merge branch 'lgpl' into packaging 2017-12-08 17:15:23 +01:00
Thomas Patzke
764e064f8c First (untested) packaging 2017-12-08 00:32:41 +01:00
Thomas Patzke
2ce0be1f2d Re-licensing toolchain under LGPLv3 
Thanks to Ben de Haan and Devin Ferguson for permission for this change.
 2017-12-07 21:55:43 +01:00
Thomas Patzke
3b9ff57a38 Added merge_sigma tool 
* Tests
* Restructured Makefile
 2017-11-14 22:17:18 +01:00
Thomas Patzke
f478cffb41 Added default index configs for usual ELK setups 
* Added test case for defaultindex with kibana backend
 2017-11-09 10:05:41 +01:00
Thomas Patzke
46f1ce35a8 sigmac/kibana backend: added index fallback if none determined 2017-11-09 10:02:23 +01:00
Florian Roth
1bea284280 Added Windows Driver Framework log source to configs 2017-11-09 08:42:58 +01:00
Florian Roth
e83e3a0c07 Bugfixes in Splunk config 2017-11-09 08:41:07 +01:00
Thomas Patzke
b03f9359ec sigmac: Added rule filter 2017-11-02 00:02:15 +01:00
Thomas Patzke
732f01878f Sigma rule collection YAML action documents 2017-11-01 00:17:55 +01:00
Thomas Patzke
d0b2bd9875 Multiple rules per file 
* New wrapper class SigmaCollectionParser parses all YAML documents
  contained in file and handles multiple SigmaParser instantiation.
* Exemplary extended one security/4688 rule to security/4688 + sysmon/1
 2017-10-31 23:06:18 +01:00
Thomas Patzke
5743e25931 Added logging framework 2017-10-31 22:13:20 +01:00
Thomas Patzke
720c992573 Dropped within keyword 
Covered by timeframe attribute.

Fixes issue #26.
 2017-10-30 00:25:56 +01:00
Thomas Patzke
012cb6227f Added proper handling of null/not null values 
Fixes issue #25
 2017-10-29 23:57:39 +01:00
Thomas Patzke
5fa9e685b1 Splitted parts of generate to generateQuery in backend code 2017-10-25 00:03:03 +02:00
Thomas Patzke
6d0e85fcfa Fixed Splunk backend (#50) 2017-10-24 23:48:47 +02:00
Thomas Patzke
65e1f8ec2b Increased test coverage 
* more tests
* removed unneeded code
* increased coverage fail threshold
 2017-10-23 23:30:44 +02:00
Thomas Patzke
3389656a5b Added ELK default index config 2017-10-23 00:45:33 +02:00
Thomas Patzke
7f93d3ca47 Kibana backend throws exception when multiple indices appear 
* Introduced backend errors with handling in sigmac
 2017-10-23 00:45:01 +02:00
Thomas Patzke
cb9aeac7d9 Added default index handling 
* Removed default index handling from backend code
* Added default indices to config templates
 2017-10-23 00:08:39 +02:00
Thomas Patzke
ec996e7353 Improved test coverage 2017-10-19 17:42:56 +02:00
Thomas Patzke
5449a12a14 Added GrepBackend 
Moved field quoting/filtering into QuoteCharMixin
 2017-10-18 19:03:38 +02:00
Thomas Patzke
54cf9af0c9 Removed ELK Sysmon config 
It's contained in ELK Windows config
 2017-10-18 15:23:55 +02:00
Thomas Patzke
b8eedfe3f0 Fixes and refactoring of KibanaBackend and XPackWatcherBackend 
* Moved unnecessary code out of condition loop
* Index specific rule-name not appended to rulename variable used later
  from other rule/index.
* Merged condition loop
 2017-09-30 23:22:05 +02:00
Thomas Patzke
1d314e326e sigmac: MultiRuleOutputMixin 
* Moved rule name generation into mixin
* KibanaBackend and XPackWatcherBackend now use this mixin instead of
  doing the same thing in both classes.
 2017-09-30 01:03:08 +02:00
Thomas Patzke
b47e3e45a8 Merge branch 'devel-sigmac' 2017-09-22 00:31:22 +02:00
Thomas Patzke
d410adb397 sigmac: X-Pack Watcher backend improvements 
* Renamed backend class according to convention
* Output types: curl (default) and plain
* Prefix of rule names
* Indices from configuration
* Support for multiple conditions per rule
* Usage of parsed condition
* Support for all condition operators
* Fixed bug preventing from passing multiple options to backend
* Added to CI tests
 2017-09-22 00:28:35 +02:00
Thomas Patzke
62eb3b2923 Merge branch 'devel-sigmac' of https://github.com/megadevx/sigma into devel-sigmac-watcher 2017-09-19 23:08:04 +02:00
Thomas Patzke
545e05370f Added first config for logstash-linux project 
URL: https://github.com/thomaspatzke/logstash-linux
 2017-09-17 00:36:04 +02:00
Thomas Patzke
a18b8eca52 sigmac: changed backend description for kibana backend 2017-09-17 00:31:25 +02:00
Thomas Patzke
270ab9ba78 Added backend options 
* generic support for backend-specific options
* kibana backend option for title prefix
 2017-09-16 23:46:40 +02:00
Thomas Patzke
c8a66e48b6 sigmac: improved Kibana backend 
* added fields from rules
* default index if none is matching
 2017-09-16 00:39:37 +02:00
Thomas Patzke
d3201229b0 sigmac: Fixed matching of log sources between rules and configuration 2017-09-16 00:32:31 +02:00
devife
9bc8e12a4f Created a X-Pack Watcher output. 
This is has only been tested slightly.
 2017-09-15 09:49:57 -05:00
devife
135e389334 Created a X-Pack Watcher output. 
This is has only been tested slightly.
 2017-09-15 09:46:37 -05:00