valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,331 Commits 20 Branches 25 Tags 21 MiB
a25b2ec361
Commit Graph

302 Commits

Author SHA1 Message Date
Thomas Patzke
a25b2ec361
Merge pull request #523 from refractionPOINT/lc-added-mtd 
LC added FP metadata
 2019-12-13 21:50:52 +01:00
Maxime Lamothe-Brassard
27bb07b74e Adding support for basic proxy rules using the HTTP_REQUEST events from the Chrome LC Agent. 2019-12-05 09:35:09 -08:00
Maxime Lamothe-Brassard
61bcc46394 Prettier formatting of YAML. 2019-11-18 14:50:41 -05:00
Maxime Lamothe-Brassard
9eed57ee1d Adding the "falsepositives" field to the LC metadata. 2019-11-15 08:30:41 -05:00
Thomas Patzke
6d62d426c9 Added sigma-uuid tool 
* Moved SigmaYAMLDumper to new sigma.output module
 2019-11-11 23:35:16 +01:00
Thomas Patzke
465e41bfbb Added regular expression support in es-dsl backend 2019-11-08 22:31:02 +01:00
Thomas Patzke
ef14ee542d Added modifiers: startswith and endswith 2019-11-05 23:04:13 +01:00
Maxime Lamothe-Brassard
1b9054c1f3 Adding some comments 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
b7018bcd4a Adding a post-mapper mechanism to fix some common issues in Sigma rules to LC. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
c2e621cf08 Fixing another edge case with string escape. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
0c6b9e532b Remove debugging statement 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
6f2f1d2bd7 Add ability to map fields and values based on callbacks. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
0b9a3f3a08 Refactor to better support keyword fields. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
9aedb8f764 Adding another exception case to get more "contains" shortcuts instead of REs. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
102ab3081b Fix the convertion from simple wildcard strings to a full regular expression so that it is always correct. The previous solution just mostly-worked. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
e52f29dda9 Fix matches operator field set to value instead of re. 2019-11-05 08:38:06 -05:00
Thomas Patzke
54c75167ce Default configurations for backends 2019-11-03 23:32:50 +01:00
Thomas Patzke
4f19ef5708 Graylog backend now derived from es-qs 
Technically, Graylog is ES. Fixes and improvements for ES didn't
propagate to Graylog, now they do.
 2019-11-02 22:56:01 +01:00
Thomas Patzke
8af2b70594 Restrict search not bound to fields to keyword fields 2019-11-02 22:55:04 +01:00
Thomas Patzke
c9eb921f68 ConditionAND/OR constructor now allows arbeitrary number of operands 2019-11-02 22:54:35 +01:00
Thomas Patzke
2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Maxime Lamothe-Brassard
f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard
2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Maxime Lamothe-Brassard
a7003c2aa3 Adding support for "unix", looking like a mistake by the creator. 2019-10-27 15:55:12 -05:00
Maxime Lamothe-Brassard
d019cef439 Ading a bit more of early support for netflow and some linux exe. 2019-10-27 15:48:28 -05:00
Maxime Lamothe-Brassard
a57a7b58cf Added conceptial support for aliasing keyworkds to a specific field depending on the log source. 2019-10-27 15:28:54 -05:00
Maxime Lamothe-Brassard
60b20a76a6 Fixing handling of unsupported sources. 2019-10-27 12:37:06 -05:00
Maxime Lamothe-Brassard
0fe72d6133 Emit error on full-text searches not being supported. 2019-10-27 12:26:36 -05:00
Maxime Lamothe-Brassard
f43300af8e Fix the top level pre-condition for Windows Event Logs on LC. 2019-10-27 12:17:15 -05:00
Maxime Lamothe-Brassard
91e48d8c1b Adding setup links and fixing test that would crash Not node, but not seen in prod rules. 2019-10-27 11:56:32 -05:00
Maxime Lamothe-Brassard
8d866b0868 Adding comments. 2019-10-26 17:37:13 -05:00
Maxime Lamothe-Brassard
bc5e9bd03a Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report. 2019-10-26 17:30:40 -05:00
Maxime Lamothe-Brassard
8cc3990aef Extending support for more random rules with odd names. 2019-10-26 16:59:33 -05:00
Maxime Lamothe-Brassard
4d65b62063 Adding support for generating rules for Windows builtin category for use in the External Logs of LC. 2019-10-26 16:30:50 -05:00
Maxime Lamothe-Brassard
30cc7ee809 Refactor mappings into a flat structure to account for missing parameters in some combinations. 2019-10-26 16:09:39 -05:00
Maxime Lamothe-Brassard
77329714c5 Adding service to indirection of mappings since it will be used for Windows Event Logs. 2019-10-26 16:06:42 -05:00
Maxime Lamothe-Brassard
823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard
bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
Thomas Patzke
30948b9c1a Added sigma-similarity tool 
Fixed also bug in backend base class that was triggered by the way
backends are used by this tool.
 2019-10-25 21:59:03 +02:00
Thomas Patzke
fc276612b6 Added encoding modifiers 2019-10-16 23:52:06 +02:00
Steven Goossens
6a1a96a918 Implement mapping when selecting the fields for the AQL query. This was not being done correctly 2019-10-16 16:37:09 +02:00
Steven Goossens
2837d3ba74 Added the cleanValue function for Qradar 2019-10-16 10:27:24 +02:00
Thomas Patzke
849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00
Thomas Patzke
d4f89ebc1c Aggregation on keyword field in es-dsl backend 
* Fixes #452
* Further fixed reference to count in restriction of results
 2019-09-29 23:18:17 +02:00
Thomas Patzke
19f431b6d2 Changed xpack-watcher dateField default to previous value 2019-09-12 00:19:58 +02:00
herrBez
8f612f743c Use config dateField in xpack watcher to determine 
datefield name as in elasticsearch dsl backend
 2019-09-11 09:38:03 +02:00
Thomas Patzke
c80cb418cd Improved QRadar regular expression support 2019-09-05 15:35:26 +02:00
Thomas Patzke
30b6db8299 Fixed ES backend keyword field mapping wildcard match pattern 2019-09-05 12:55:10 +02:00
Thomas Patzke
3b1cbe529e Elasticsearch keyword field name blacklisting with wildcards 2019-09-05 12:38:32 +02:00
Thomas Patzke
2a60c71b9d
Merge pull request #437 from svent/qradar_regex_modifier 
QRadar backend: add support for re type modifiers
 2019-09-05 10:30:18 +02:00