272 Commits

Author	SHA1	Message	Date
Maxime Lamothe-Brassard	8d866b0868	Adding comments.	2019-10-26 17:37:13 -05:00
Maxime Lamothe-Brassard	bc5e9bd03a	Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report.	2019-10-26 17:30:40 -05:00
Maxime Lamothe-Brassard	8cc3990aef	Extending support for more random rules with odd names.	2019-10-26 16:59:33 -05:00
Maxime Lamothe-Brassard	4d65b62063	Adding support for generating rules for Windows builtin category for use in the External Logs of LC.	2019-10-26 16:30:50 -05:00
Maxime Lamothe-Brassard	30cc7ee809	Refactor mappings into a flat structure to account for missing parameters in some combinations.	2019-10-26 16:09:39 -05:00
Maxime Lamothe-Brassard	77329714c5	Adding service to indirection of mappings since it will be used for Windows Event Logs.	2019-10-26 16:06:42 -05:00
Maxime Lamothe-Brassard	823d86c7d9	Remove unimplemented config entries and fix bug with valueNode.	2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard	bba43c7a86	First draft of support for LimaCharlie D&R rules.	2019-10-26 15:45:48 -05:00
Thomas Patzke	30948b9c1a	Added sigma-similarity tool ... Fixed also bug in backend base class that was triggered by the way backends are used by this tool.	2019-10-25 21:59:03 +02:00
Thomas Patzke	fc276612b6	Added encoding modifiers	2019-10-16 23:52:06 +02:00
Steven Goossens	6a1a96a918	Implement mapping when selecting the fields for the AQL query. This was not being done correctly	2019-10-16 16:37:09 +02:00
Steven Goossens	2837d3ba74	Added the cleanValue function for Qradar	2019-10-16 10:27:24 +02:00
Thomas Patzke	849a5a520d	Conditional field mapping resolve_fieldname now functional ... Before this method just had some placeholder function that wasn't really implementing the intended functionality of the conditional field mapping. Now aggregations get also conditional field mapping functionality.	2019-10-09 23:57:41 +02:00
Thomas Patzke	d4f89ebc1c	Aggregation on keyword field in es-dsl backend ... * Fixes #452 * Further fixed reference to count in restriction of results	2019-09-29 23:18:17 +02:00
Thomas Patzke	19f431b6d2	Changed xpack-watcher dateField default to previous value	2019-09-12 00:19:58 +02:00
herrBez	8f612f743c	Use config dateField in xpack watcher to determine ... datefield name as in elasticsearch dsl backend	2019-09-11 09:38:03 +02:00
Thomas Patzke	c80cb418cd	Improved QRadar regular expression support	2019-09-05 15:35:26 +02:00
Thomas Patzke	30b6db8299	Fixed ES backend keyword field mapping wildcard match pattern	2019-09-05 12:55:10 +02:00
Thomas Patzke	3b1cbe529e	Elasticsearch keyword field name blacklisting with wildcards	2019-09-05 12:38:32 +02:00
Thomas Patzke	2a60c71b9d	Merge pull request #437 from svent/qradar_regex_modifier ... QRadar backend: add support for re type modifiers	2019-09-05 10:30:18 +02:00
Thomas Patzke	de5e2045f0	Merge pull request #428 from stevengoossensB/master ... AQL field selection from signatures	2019-09-05 10:28:02 +02:00
Thomas Patzke	37e179b6a7	Merge pull request #390 from juju4/devel-sumo2 ... sumologic backend: fix index and full mapping coverage	2019-09-05 10:27:19 +02:00
svent	467c8f694c	QRadar backend: add support for re type modifiers	2019-09-03 22:55:48 +02:00
Steven Goossens	37caccd52e	Includes the trial condition so generic query is generated whenever the fields are not defined	2019-08-26 11:48:40 +00:00
Steven Goossens	895682aef2	Implementing the fields to be selected	2019-08-26 10:57:43 +00:00
agold	0984293d0c	Support for Malicious cmdlets in ATP	2019-08-20 14:33:08 -07:00
svent	1ea6d00a39	Fix QRadar field name escaping and handling	2019-08-12 23:47:43 +02:00
Michiel Meersmans	0708fdd28e	Correctly escape slashes within es-dsl wildcard queries	2019-08-07 12:56:19 +02:00
Florian Roth	9c85d5e80f	Merge pull request #406 from tuckner/master ... Fix ala parsing issues	2019-08-06 10:28:07 +02:00
Thomas Patzke	805c739611	Merge branch 'devel-modifiers'	2019-07-31 23:44:10 +02:00
Thomas Patzke	31c6ffcb61	No escaping for typed values	2019-07-31 23:43:29 +02:00
tuckner	8f2f1922c6	Merge pull request #1 from Neo23x0/master ... update fork	2019-07-27 21:27:52 -05:00
Thomas Patzke	8a3117d73e	Nested list handling for chained value modifiers	2019-07-16 23:03:19 +02:00
Thomas Patzke	6881967889	Further modifiers ... * base64 * base64offset	2019-07-16 00:00:35 +02:00
Thomas Patzke	1bb29dca26	Implemented type modifiers and regular expressions	2019-07-15 22:52:10 +02:00
Thomas Patzke	5489f870cc	Merge pull request #393 from HacknowledgeCH/master ... Explicit OR for list elements	2019-07-13 23:11:44 +02:00
Thomas Patzke	134bfebe57	Ignore "timeframe" detection keyword in "all/any of" conditions ... Fixes #395	2019-07-13 00:35:35 +02:00
christophetd	576912eb7a	Support OR queries for Elasticsearch 6 and above	2019-07-08 17:12:53 +02:00
juju4	2b5a77db53	add sumologic _sourceCategory and _view in aFL	2019-07-06 12:41:56 -04:00
juju4	b358d38e68	_index in aFL and mappings working!	2019-07-06 12:41:40 -04:00
Florian Roth	f7ba2b3976	fix: bug in sumologic backend with 'null' values	2019-07-02 22:31:10 +02:00
Thomas Patzke	337681cfce	Value modifiers ... * First transformation modfiers: contains, all * Sigma converter modifier list	2019-06-30 23:41:28 +02:00
Thomas Patzke	6fab5d7f23	Improved testing and removed dead&debug code	2019-06-29 00:09:53 +02:00
Thomas Patzke	377872c91e	Merge branch 'devel-sumo' of https://github.com/juju4/sigma into juju4-devel-sumo	2019-06-28 23:39:15 +02:00
Thomas Patzke	0c7151c901	Watcher backend default options, refactoring and testing	2019-06-28 23:22:16 +02:00
Adrian Constantin Stanila	feac0be8a4	Added 2 more actions on Elasticsearch X-pack Watcher: index and webhook ... Added timestamp filter query.	2019-06-27 08:54:59 +03:00
juju4	654a009c9e	sumologic backend: remove TypeError	2019-06-22 16:49:46 -04:00
juju4	559d0f4ba8	sumologic backend: force as string	2019-06-22 16:43:50 -04:00
juju4	2df0e9765c	sumologic backend: pycodestyle review - E501	2019-06-22 16:41:57 -04:00
juju4	49533a5909	sumologic backend: pycodestyle review	2019-06-22 16:39:13 -04:00