valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,228 Commits 20 Branches 25 Tags 21 MiB
90a21d954a
Commit Graph

215 Commits

Author SHA1 Message Date
V1D1AN
56e3a6aaf3
Update ecs-zeek-elastic-beats-implementation.yml 2021-05-16 22:53:25 +02:00
JohnConnorRF
1574d263cc Updated Winlogbeat Modules config based on: 048c3cc19b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js (L171-L178) 2021-05-05 10:25:36 -04:00
John Connor McLaughlin
3926e2388f Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html 2021-05-04 15:23:47 -04:00
Florian Roth
2f12c5c540 fix: too broad definition of *.log on linux 2021-05-03 17:04:55 +02:00
Max Altgelt
7c8cca744f
chore: Revert log file changes for THOR sigma configuration 
Revert recent changes for Windows / Linux .log files for THOR
because of massive performance impacts.
 2021-04-28 17:48:17 +02:00
Max Altgelt
de2cedf213
fix: Distinguish Windows and Linux logfiles by path separator 
A previous commit added a log source detailing *.log files with
product: linux. This caused linux specific Sigma rules to apply to
all *.log file, including those on Windows. To distinguish these
cases, expand the file path pattern to include the typical start
for unix / windows paths ( / vs [A-Z]:\ )
 2021-04-28 11:45:19 +02:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth
66d0f910dd feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00
Florian Roth
08234c4620 Revert "fix: splunk for windows config errors" 
This reverts commit 13347df263.
 2021-04-25 21:52:29 +02:00
Florian Roth
d766c12888 feat: generic categories - thor config 2021-04-23 17:47:09 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
phantinuss
95fa99b4a3
search generic log files for product: linux 2021-04-23 12:00:48 +02:00
Florian Roth
13347df263 fix: splunk for windows config errors 2021-04-23 09:50:13 +02:00
Steven
7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven
850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
Thomas Patzke
5118be6bf6
Merge pull request #1407 from JohnConnorRF/winlogbeat_config_update 
Update winlogbeat configuration file to support File Product details
 2021-04-06 00:51:27 +02:00
JohnConnorRF
477f05c5f2 Added in Product entry for winlogbeat-old 2021-04-01 09:24:24 -04:00
JohnConnorRF
1f3ee87e55 Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product 2021-04-01 09:19:21 -04:00
JohnConnorRF
3fd396f4db Updated winlogbeat configuration file to support File Product details 2021-03-30 13:21:14 -04:00
Joshua Roys
30ab2aad75 Map CommandLine appropriately 
Args is an array of the exploded command line and causes many rules to misfire.
 2021-03-30 10:15:10 -04:00
Florian Roth
7d7dd4cb67 fix: missing index field in FE helix config 2021-03-20 09:09:45 +01:00
Florian Roth
8b145e20e4 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-03-20 09:04:40 +01:00
Florian Roth
58a1ab9817 fix: wrong indentation in fireeye helix mapping 2021-03-20 09:04:38 +01:00
Florian Roth
e47ee24889
Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth
9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
Florian Roth
1fc408bfaa fix: duplicate field values in YAML configs 2021-03-20 08:49:43 +01:00
Florian Roth
6ac6b9295b
Merge pull request #1392 from hustlibraco/patch-1 
Update winlogbeat.yml
 2021-03-20 08:28:35 +01:00
Codehardt
6d626456f2 fix: syntax error in THOR's config file 2021-03-17 11:49:50 +01:00
libraco
3c5624ca88
Update winlogbeat.yml 
add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml
 2021-03-15 23:54:28 +08:00
libraco
2971a08734
Update winlogbeat.yml 
add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.
 2021-03-15 23:01:07 +08:00
Thomas Patzke
c13f3f1383
Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
vh
7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Dennis Potashnik
12cc2cade1 Moved references to binary file from custom config to stix-2.0 config 2021-03-02 12:04:22 +02:00
Dennis Potashnik
e12d710ab4 Fixed config typo 2021-03-02 11:51:46 +02:00
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Dennis Potashnik
563fd3c7e2 Fixed error mapping for stix-shifter configuration 2021-02-08 17:55:03 +02:00
Dennis Potashnik
08ee6d7f1f deleted missed file 2021-02-08 11:44:00 +02:00
Dennis Potashnik
2b917d6f97 Merge branch 'align-sigmac-stixshifter' into align-simac-stixshifter 2021-02-08 11:40:47 +02:00
Dennis Potashnik
08c8db25e9 New configuration layout: stix2.0 for basic stix mapings, stix-shifter to match the OCA stix-shifter mappings and stix-custom for the unsupported mappings 2021-02-08 10:56:31 +02:00
Florian Roth
11c216629b fix: thor sources for applocker with wrong prefix 2021-01-07 12:27:37 +01:00
Dennis Potashnik
70d14b46ef Aligning with newer stix-shifter version 2021-01-05 15:13:36 +02:00
maravedi
fa6f75f07e
Update sumologic.yml 
The commit from vihreb on October 6, 2020 (51df5ad876) removed some items from the allowed fields list for the sumologic backend (51df5ad876/tools/sigma/backends/sumologic.py (L161)) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
 2020-12-28 16:46:32 -05:00
Florian Roth
d1f7a206b9
Merge pull request #1289 from weslambert/master 
Fix typo
 2020-12-13 19:04:07 +01:00
findthebad
ad899899ab Updated winlogbeat.yml config to include OriginalFileName 2020-11-26 14:48:14 -05:00
Helge Aksdal
3a7c114ca3 Fix field mapping for DestinationHostname 2020-11-26 04:17:28 +01:00
Thomas Patzke
0ed54a6cae
Merge pull request #1290 from arollyson/helix_backend 
Backend: FireEye Helix
 2020-11-21 00:06:19 +01:00
Alek Rollyson
83b8af6cd2 Add FirEye Helix backend 2020-11-19 11:18:28 -05:00
weslambert
832e582b8d
Fix typo 2020-11-17 17:44:40 -05:00
Florian Roth
9944c0e563 Merge branch 'master' into pr/1267 2020-11-17 14:33:55 +01:00
heyibrahimkhan@gmail.com
eed4fe04d5 added role name field to ecs-cloudtrail. 2020-11-13 05:59:55 +05:00