valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,228 Commits 20 Branches 25 Tags 21 MiB
90a21d954a
Commit Graph

215 Commits

Author SHA1 Message Date
neu5ron
177f0a783b winlogbeat forward (at a snails pace) ECS field names 2020-05-19 04:58:51 -04:00
Remco Hofman
c5be83eb01 Added ee-outliers backend 2020-05-08 10:18:35 +02:00
neu5ron
cbe5af01a1 on behalf of @socprime [SOC Prime Inc.](https://my.socprime.com/en/tdm/) 
add a total of 5 sigmac's (sigma configs) for 3 different backends. full git message to follow in PR.
 2020-05-02 07:23:11 -04:00
Florian Roth
5f0250bff5
Merge pull request #669 from 0xThiebaut/winlogbeat-rulename 
Add Winlogbeat's RuleName field to mapping
 2020-03-28 13:20:08 +01:00
Thomas Patzke
5ea623506f
Merge pull request #667 from opflep/master 
Upgrade CarbonBlack backend
 2020-03-22 00:24:57 +01:00
Maxime Thiebaut
c5bdd18d8d Add Winlogbeat's RuleName field to mapping 
When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt.

```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
	<Event
		xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
		<System>
			<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
			<EventID>13</EventID>
			<Version>2</Version>
			<Level>4</Level>
			<Task>13</Task>
			<Opcode>0</Opcode>
			<Keywords>0x8000000000000000</Keywords>
			<TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/>
			<EventRecordID>160631</EventRecordID>
			<Correlation/>
			<Execution ProcessID='2156' ThreadID='3628'/>
			<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
			<Computer>win10.sec699-40.lab</Computer>
			<Security UserID='S-1-5-18'/>
		</System>
		<EventData>
			<Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data>
			<Data Name='EventType'>SetValue</Data>
			<Data Name='UtcTime'>2020-03-18 03:52:07.129</Data>
			<Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data>
			<Data Name='ProcessId'>5064</Data>
			<Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data>
			<Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data>
			<Data Name='Details'>Binary Data</Data>
		</EventData>
	</Event>
</Events>
```

When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`.
This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`.

The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed.
 2020-03-19 19:40:18 +01:00
vunx2
1025930e04 merge 2020-03-19 11:05:52 +07:00
vunx2
c627f6b381 merge 2020-03-19 11:02:10 +07:00
vunx2
e228d42b97 clean IP subnet 2020-03-18 16:49:44 +07:00
neu5ron
58ac26e531 more ECS to sigmac taxonomy for web/proxy 2020-03-14 14:57:38 -04:00
vunx2
58f5fa1b8e change to github 2020-02-28 16:56:48 +07:00
vunx2
139600009b conflict 2020-02-28 16:50:30 +07:00
Thomas Patzke
5b42135935 Added es-rule backend to all ES configurations 2020-02-24 23:20:48 +01:00
vh
5dc30bd388 Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
Thomas Patzke
776b58b594 Improved Splunk Zeek configuration 2020-02-21 22:31:14 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
james dickenson
1347e5060f logsource config for zeek events in splunk 2020-02-12 21:24:03 -08:00
vunx2
627f46abc2 backslash fix 2020-02-06 16:28:27 +07:00
vunx2
19d9e4856e clean Value + config 2020-02-05 17:47:35 +07:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
vunx2
2930df17d6 update sigma 2020-02-03 09:47:06 +07:00
neu5ron
d8b703462d fix name of network_initiated 2020-01-13 00:12:04 -05:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Thomas Patzke
b701e9be50 Added ECS proxy configuration 2019-12-09 16:34:07 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Lep
60997b47b2 moreEventID 2019-11-28 21:34:52 +07:00
Florian Roth
e2628d6df6 fix: wrong mapping on thor.cfg 2019-11-11 09:20:20 +01:00
Florian Roth
a0beda240c fix: fixed wrong field mapping in windows-audit source config 2019-11-09 22:42:00 +01:00
Maxime Lamothe-Brassard
2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Maxime Lamothe-Brassard
823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard
bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
gsanm
150afd816d IP Clean 2019-10-22 17:49:50 +07:00
lep
1c5816b214 update carbonblack module 2019-10-18 17:51:31 +07:00
lep
7219e0b0f1 module carbonblack 2019-10-18 14:04:38 +07:00
neu5ron
a729cc7905 create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion 2019-10-01 10:16:42 -04:00
neu5ron
f7fd936433 update HELK config taxonomy/mapping for sigmac conversion 2019-10-01 10:14:54 -04:00
ecco
4c5eab88b6 add GroupSid to other configs 2019-09-11 04:53:30 -04:00
ecco
5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
Thomas Patzke
de5e2045f0
Merge pull request #428 from stevengoossensB/master 
AQL field selection from signatures
 2019-09-05 10:28:02 +02:00
Thomas Patzke
37e179b6a7
Merge pull request #390 from juju4/devel-sumo2 
sumologic backend: fix index and full mapping coverage
 2019-09-05 10:27:19 +02:00
Steven Goossens
cb088e4911 Remove quotes from around the fields to make the query semantically correct 2019-08-26 12:43:26 +00:00
Steven Goossens
ad19f05e2c Include mapped names rather then signature names 2019-08-26 12:06:20 +00:00
svent
826c1e3942 Fix QRadar backend config 2019-08-12 23:47:43 +02:00
Thomas Patzke
b9ff280209 Cleanup of configuration names 2019-07-14 00:50:15 +02:00
juju4
10290beb54 config/sumologic: more index mappings 2019-07-06 12:42:12 -04:00
juju4
7b0cace217 config/sumologic: more index mappings 2019-07-06 12:42:05 -04:00
Thomas Patzke
161965d14c Added version information to Winlogbeat configs 2019-06-30 22:44:12 +02:00
herrBez
74021d53d8 Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes 
ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html
 2019-06-30 12:13:21 +02:00
Thomas Patzke
f4da0c5540 Added field SecurityID to Winlogbeat config 2019-06-19 23:35:50 +02:00
David Vassallo
fdce7ad9bf
Addition of KeyLength field 2019-06-14 17:58:47 +03:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
Florian GAULTIER
6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Thomas Patzke
11ed7e7ef8 Check for valid configuration/backend combinations 2019-05-20 01:00:33 +02:00
Thomas Patzke
36aeb19721 Added title to all configurations 2019-05-16 23:33:51 +02:00
Codehardt
8cf505fcb3 Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 08:23:48 +02:00
Codehardt
79f7edb6b4 Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 08:15:50 +02:00
Thomas Patzke
6918784e87 Configuration order checking 2019-04-23 00:54:10 +02:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
Florian Roth
004497075d fix: spark source config bug 2019-02-12 23:27:38 +01:00
neu5ron
046510f021 updated HELK Destination IP name 2019-02-05 13:11:06 -05:00
Florian Roth
a276d3083d DHCP log source in sigmac configs 2019-02-05 14:35:23 +01:00
Thomas Patzke
516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Thomas Patzke
3eaf83cf5a Improved configurations 
Added Security/4688 field mappings
 2019-01-16 23:37:18 +01:00
Thomas Patzke
ba64f485ac Added generic Windows audit log configuration 2019-01-16 22:41:42 +01:00
Thomas Patzke
a9cf14438c Merge branch 'master' into project-1 2019-01-14 22:36:15 +01:00
Thomas Patzke
5cba0b9946
Merge pull request #223 from m0jtaba/master 
extending the qradar backend to allow for timeframe query
 2019-01-13 23:55:55 +01:00
Mo Amiri
aa37ef2559 extending the qradar backend to allow for timeframe query 2019-01-11 03:33:49 +00:00
Adrien Vergé
44f18db80d Fix YAML errors reported by yamllint 
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
 2019-01-10 09:51:39 +01:00
Roberto Rodriguez
a0486edeea Field-Index Mapping File & SIGMA Rules Field names fix 
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
 2018-12-11 09:27:26 +03:00
Thomas Patzke
68866433e8 Merge branch 'juju4-devel-sumo' 2018-12-10 22:37:58 +01:00
Thomas Patzke
4175d0cdd5 Fixed config and added index field 
* Added index field _index to backend implementation
* Fixed index values in config
 2018-12-10 22:37:39 +01:00
juju4
1f707cb37c Adding Sumologic backend 2018-12-09 17:55:51 -05:00
Roberto Rodriguez
8c577a329f Improve Rule & Updated HELK SIGMA Standardization Config 
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.

SIGMA HELK standardization config updated to match latest HELK Common Information Model
 2018-12-08 11:30:21 +03:00
Florian Roth
99e0a4defb fix: SPARK config duplicate identifier 2018-11-27 14:05:13 +01:00
tuckner
26f73d60fa Added NetWitness backend and tests 2018-10-31 14:07:59 -05:00
Thomas Patzke
a61b3d352a Added test cases 
* Generic log sources
* Splunk index queries
 2018-10-15 15:24:18 +02:00
Michael H
7e184f01c6 Removing invalid fieldmapping 2018-10-13 19:53:39 -05:00
Karneades
c66b00356d Add initial version of PowerShell backend 
* Add PowerShell backend
* Add PowerShell config file

State: Work in progress :)

See https://github.com/Neo23x0/sigma/issues/94
 2018-09-23 21:41:48 +02:00
Thomas Patzke
1d12fc290c Added Winlogbeat configuration 2018-09-20 12:08:11 +02:00
Thomas Patzke
d81946df39 Stacked configurations 
- Added log source rewriting
- Removed log source merging condition type setting
- Simplified SigmaLogsourceConfiguration constructor
- Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration

Missing:
- Merging of raw config dict for backends that rely on this (es-dsl)
 2018-09-12 23:40:22 +02:00
James Dickenson
9a61f40cef added support flor flow data in qradar backend 2018-08-16 21:44:17 -07:00
Thomas Patzke
320bb9f8c4 Added rewrite config to generic sysmon configuration 2018-08-14 21:34:54 +02:00
Thomas Patzke
430972231f Added generic sysmon configuration with process_execution config 2018-08-14 21:34:54 +02:00
nikotin
b5f27d75be Added Qradar backend 2018-07-17 15:25:06 +03:00
Florian Roth
2a74a62c67 Config file for SPARK scanner 2018-06-29 16:42:16 +02:00
Florian Roth
7edd95744a Windows NTLM 2018-06-13 00:08:46 +02:00
nikotin
d13e8d7bd3 Added ArcSight & Qualys backends 2018-06-07 16:18:23 +03:00
Florian Roth
65cc78f9e8 Windows Config Update - DNS logs 2018-05-22 16:59:58 +02:00
Thomas Patzke
17c1c1adff Added field name mappings to HELK configuration 2018-03-27 14:41:02 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes 
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
 2018-03-27 14:35:49 +02:00
Thomas Patzke
e162ba0155 Added HELK configuration 2018-03-16 23:42:31 +01:00
Thomas Patzke
f478cffb41 Added default index configs for usual ELK setups 
* Added test case for defaultindex with kibana backend
 2017-11-09 10:05:41 +01:00
Florian Roth
1bea284280 Added Windows Driver Framework log source to configs 2017-11-09 08:42:58 +01:00
Florian Roth
e83e3a0c07 Bugfixes in Splunk config 2017-11-09 08:41:07 +01:00
Thomas Patzke
3389656a5b Added ELK default index config 2017-10-23 00:45:33 +02:00
Thomas Patzke
cb9aeac7d9 Added default index handling 
* Removed default index handling from backend code
* Added default indices to config templates
 2017-10-23 00:08:39 +02:00
Thomas Patzke
54cf9af0c9 Removed ELK Sysmon config 
It's contained in ELK Windows config
 2017-10-18 15:23:55 +02:00
Thomas Patzke
545e05370f Added first config for logstash-linux project 
URL: https://github.com/thomaspatzke/logstash-linux
 2017-09-17 00:36:04 +02:00
Florian Roth
edf2787402 Removed some spaces and added Win 10 WMI eventlog 2017-08-22 10:04:56 +02:00
Thomas Patzke
998bb0079d Fixed Splunk config for sigmac again 2017-05-26 22:40:06 +02:00
Thomas Patzke
18a9fd18ef Fixed Splunk configuration 
Substituted source: with sourcetype:
 2017-05-26 00:13:30 +02:00
Florian Roth
f66085b198 Added eventlog source DNS Server to configs 2017-05-08 13:09:17 +02:00
Ben de Haan
dddb83393d Added field mappings for events with logins 2017-03-30 10:49:36 +02:00
Ben de Haan
cb9a9bc2ff Added LogPoint conditional username mapping 
Conditional mapping of SubjectAccountName based on EventID. Not a comprehensive list, but should include most relevant Event IDs.
 2017-03-30 09:51:32 +02:00
Thomas Patzke
9698e8fdf7 Changed Logpoint SubjectAccountName mapping to conditional mapping 2017-03-25 00:27:29 +01:00
Thomas Patzke
a4465ce844 Added 1:n field mapping 
MultiFieldMapping
 2017-03-24 00:58:11 +01:00
Florian Roth
7e180365ab PowerShell Classic Log in Splunk Config Example 2017-03-22 11:17:46 +01:00
Ben de Haan
c3c405a95e LogPoint windows mapping 2017-03-20 16:57:19 +01:00
Florian Roth
f292a259a5 Adjusted Windows Splunk Config 2017-03-18 13:12:31 +01:00
Thomas Patzke
17c484163d Improved examples 2017-03-18 00:03:21 +01:00
Thomas Patzke
b4f52d9cfb Windows index in Splunk example configuration 2017-03-17 23:30:11 +01:00
Florian Roth
dc00baacda Splunk Windows Configuration Example 2017-03-17 10:00:56 +01:00
Thomas Patzke
d2a9a91175 Log source conditions are integrated in generated expressions 
Indices not yet included
 2017-03-14 23:22:32 +01:00
Thomas Patzke
52d7e9fc07 Parsing log sources in configuration files 2017-03-12 23:12:21 +01:00
Florian Roth
b93379a6a9 Config example: sysmon / logstash index 2017-03-07 10:09:43 +01:00