valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
7,647 Commits 20 Branches 25 Tags 21 MiB
ac90ee0002
Commit Graph

1100 Commits

Author SHA1 Message Date
mf1d3l
681accf2ba add splunkdm to Makefile 2021-07-10 22:23:15 +02:00
mf1d3l
0271bc6b13 clean 2021-07-10 22:13:09 +02:00
mf1d3l
b986ed0716 extend cim 2021-07-10 19:02:24 +02:00
G Y
bdb77780b3
Update winlogbeat.yml 
Change Imphash's value as current one does not exist without the Sysmon processor module under Winlogbeat.
 2021-07-10 11:37:36 +08:00
G Y
cb2985df75
Update winlogbeat-modules-enabled.yml 
Replaced mapping for Imphash (based on Winlogbeat's Sysmon processor module).
 2021-07-10 10:51:05 +08:00
mfidel
ffadd110cb
Update splunkdm.py 2021-07-10 00:03:41 +02:00
mfidel
82f8412988
Update splunkdm.py 2021-07-10 00:02:33 +02:00
mf1d3l
368388a7e6 Add Splunk Datamodel backend 2021-07-09 23:18:17 +02:00
Ibrahim Ali Khan
8bf07b3575
Create ala-azure-ad_auditlogs.yml 
Azure AD Audit Logs mapping for Azure Log Analytics
 2021-07-08 20:40:39 +05:00
Ibrahim Ali Khan
7bba239f56
Create ala-azure-activitylogs.yml 
Azure Activity Logs mapping for Azure Log Analytics
 2021-07-08 20:40:03 +05:00
Ibrahim Ali Khan
6849aba266
Create ecs-azure-ad_auditlogs.yml 
Azure AD Audit Logs Elasticsearch ecs mapping
 2021-07-08 20:39:05 +05:00
Ibrahim Ali Khan
25dd14829e
Create ecs-azure-activitylogs.yml 
Azure Activity Logs Elasticsearch ecs mapping
 2021-07-08 20:37:12 +05:00
Florian Roth
a6952540c9
Merge pull request #1659 from SigmaHQ/config-adjustments 
refactor: THOR config adjustments
 2021-07-08 15:37:04 +02:00
Florian Roth
5e7f1f3a36 refactor: THOR config adjustments 2021-07-08 14:51:49 +02:00
Thomas Patzke
09c8d42c03 Deleted Sysmon config which doesn't makes sense 2021-07-08 07:31:49 +02:00
Florian Roth
cdc434cfc4 feat: OriginalFileName mapping in MDATP ImageLoad events 2021-07-07 18:22:58 +02:00
frack113
4e3b275056 Fix more windows fields name 2021-07-07 12:28:00 +02:00
frack113
5c9ca35bb6 Add the last missing 2021-07-07 09:10:50 +02:00
frack113
e76f30d59c Add some missing fields mapping 2021-07-06 15:56:33 +02:00
Florian Roth
400fae4dba
Merge pull request #1609 from cianmcgovern/graylog-fix 
Escape spaces in graylog backend
 2021-07-04 14:20:07 +02:00
frack113
8fd81acee4 Change getRuleName() to get 'id-title' instead of ('id' or 'title') 2021-07-04 11:56:59 +02:00
Cian Mc Govern
7fca08e5bd Escape spaces in graylog backend 2021-07-02 21:56:08 +01:00
Florian Roth
06ab553d25
Merge pull request #1604 from SigmaHQ/rule-devel 
Config: Splunk fix log sources prefix, THOR PS classic
 2021-07-02 15:39:22 +02:00
Florian Roth
ba94b8396c config: thor - powershell classic 2021-07-02 14:14:48 +02:00
Florian Roth
03e2b9d376 fix: missing "WinEventLog:" in splunk-windows.yml 2021-07-02 14:13:12 +02:00
Florian Roth
825ff5520b
Merge pull request #1597 from SigmaHQ/rule-devel 
config: add PrintService Operational
 2021-07-01 10:27:43 +02:00
Florian Roth
63f3fd7e73 config: add PrintService Operational 2021-07-01 09:55:15 +02:00
Florian Roth
19962c6fe4
Merge pull request #1590 from SigmaHQ/rule-devel 
config: mappings for Microsoft print service
 2021-06-30 14:50:52 +02:00
Florian Roth
a49bfb14dd refactor: Admin log - not Operational 2021-06-30 14:22:40 +02:00
Florian Roth
26cfbb9c34 config: mapping for Microsoft SMBClient service - security 2021-06-30 14:16:26 +02:00
Florian Roth
8262a1d98b config: mappings for Microsoft print service 2021-06-30 14:09:44 +02:00
frack113
f2b24ea6a3 Add support for action yml 2021-06-29 17:45:59 +02:00
frack113
bb8fe7f3b8 Add --output-extention if you want a custom output file extention (.ndjson,.txt,.splunk,..) 2021-06-29 08:13:48 +02:00
frack113
b26fc228b4 update help and add '/' or '\\' for surfix 2021-06-28 21:25:51 +02:00
frack113
831654a57a Add a way to have a output prefix 2021-06-28 19:27:20 +02:00
Cody Swanson
ab3a54c336 Update Elasticsearch Watcher backend to populate name field in alert metadata 2021-06-27 12:08:45 -07:00
Florian Roth
abe353de66
Merge pull request #1561 from frack113/es_rule_add_more_tag 
add multi custom tag for issue #1560
 2021-06-25 12:25:28 +02:00
Florian Roth
2ad6401487
Merge pull request #1565 from SpeedyFireCyclone/powershell_fieldmappings 
Generic remapping for PowerShell backend
 2021-06-25 12:21:00 +02:00
Florian Roth
537d89d185
Merge pull request #1575 from SigmaHQ/rule-devel 
rules: PurpleSharp, WMIC ActiveScriptEventConsumer
 2021-06-25 12:15:35 +02:00
eocete
bfbd1c6487 Merge remote-tracking branch 'upstream/master' into master 2021-06-21 14:11:39 +02:00
eocete
4b92dbb90d master: Added new Devo backend for the sigmac tool. Added three new backend configurations to support the Devo backend. Added a new test suite to cover the Devo backend cases. 2021-06-21 14:06:04 +02:00
Remco Hofman
a18c3952d9 More generic remapping for PowerShell backend 2021-06-20 07:58:01 +02:00
frack113
1f2c93a4e7 add multi custom tag for issue #1560 2021-06-17 08:05:44 +02:00
Florian Roth
ae06ebcae0
Merge pull request #1551 from xg5-simon/xg5-simon 
Support for VMware Carbon Black Cloud EEDR
 2021-06-10 18:35:16 +02:00
Florian Roth
bf40b64f91 docs: better title in crowdstrike config 2021-06-10 17:07:01 +02:00
Florian Roth
cd2792f82c
Merge pull request #1547 from frack113/new_filter_condition 
Add New filter condition
 2021-06-10 14:42:44 +02:00
Simon
1d081e300d
Support for VMware Carbon Black Cloud EEDR 
Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/
 2021-06-10 21:45:29 +10:00
Florian Roth
ab3baa9463
Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled 
MDATP ServiceInstalled mapping
 2021-06-10 09:05:56 +02:00
frack113
a600e2dcaa forget a print debug 2021-06-10 08:49:15 +02:00
frack113
af1aee9541 Add filter condition= and condition!= 2021-06-10 08:26:19 +02:00
frack113
1b4d4cfb82 Add missing sysmon EventID 2021-06-09 12:52:38 +02:00
Joshua Roys
2034d36677 Add support for Elastic EQL 
The EQL backend supports translation of the "near" aggregation into
EQL sequences. Additionally, the es-rule backend now has a sibling
es-rule-eql backend that outputs EQL queries instead of qs.
 2021-06-08 13:38:38 -04:00
frack113
e66a3f9513 T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp. 2021-06-07 15:03:19 +02:00
frack113
3d9fe490ab Detect modification of sysmon configuration by sysmon 2021-06-04 11:27:15 +02:00
Remco Hofman
0aa05f53e9 MDATP ServiceInstalled event mapping 2021-06-03 21:43:52 +02:00
Florian Roth
2115bfcd75
Merge pull request #1519 from frack113/esrule_new_option 
Add some fun backend option for es-rule
 2021-06-03 20:50:44 +02:00
frack113
bf98f43850 Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID 2021-06-01 10:47:17 +02:00
frack113
aa34ff8e3c Addition of System channel for more accurate detection 2021-05-30 09:27:08 +02:00
frack113
7ec513f1d0 Fix error when use -< namefile.yml in commandline as I never use it 2021-05-28 12:47:37 +02:00
frack113
b3a608599a Add some fun backend option for es-rule 2021-05-28 10:51:08 +02:00
Florian Roth
6e31bc3037
Merge pull request #1485 from V1D1AN/master 
Update ecs-zeek-elastic-beats-implementation.yml
 2021-05-27 14:59:14 +02:00
Florian Roth
ffeda2a2a2
Merge pull request #1492 from frack113/es_rule_uuid 
Fix errors when import es-rule ndjson to KIBANA
 2021-05-27 10:24:39 +02:00
Florian Roth
f98716c672
Merge pull request #1500 from frack113/sigmac_add_time_filter 
Sigmac add new filter
 2021-05-27 10:16:19 +02:00
Florian Roth
d06f2bcf14 fix: sysmon backend "startswith" 2021-05-26 15:42:16 +02:00
Florian Roth
bb71860fb2
Merge pull request #1509 from vastlimits/feature/update-6.1 
Updated uberAgent backend to support version 6.1.
 2021-05-26 13:08:08 +02:00
frack113
0e688d8dd0 Add the 'logsource!=' filter 2021-05-22 09:04:30 +02:00
frack113
f213226eb4 Add the 'tag!=' filter 2021-05-22 08:57:42 +02:00
frack113
8aa3ea15d7 change to the more revealing name "inlastday" 2021-05-22 08:44:30 +02:00
frack113
8a8f003d15 add lastday filter to get only the rule update or create in the last N days 
lastday=0 is all :)
 2021-05-21 19:31:06 +02:00
frack113
b92b765f9a Fix import to kibana error 400 severity is invalid. 2021-05-20 13:14:43 +02:00
frack113
cbb81cdf86 Fix import to kibana error 400 rish_score is null. 
rish_score is a integer.
If level is invalid set to medium
 2021-05-20 12:32:19 +02:00
frack113
f0974e9cf3 Fix : **false_positives** must be a array. 
If null add "Unknown".
If it is a string convert to a simple array row
 2021-05-20 11:20:38 +02:00
frack113
76523c5dbf fix [#1486](https://github.com/SigmaHQ/sigma/issues/1486). 
rule_id is always an uuid now.
For the rule-collection with only one uuid :
- first detection get the uuid
- other detection get a new uuid

it is a palliative, because the secondary uuid are not kept between 2 launches.
best practice is to use one uuid per detection and not files.
 2021-05-20 08:42:58 +02:00
Sven Scharmentke
a36bc55b06 Updated uberAgent backend to support version 6.1. 2021-05-18 12:07:09 +02:00
frack113
3b23c18f70 If not null use uuid instead of title for the rule id 2021-05-17 22:12:17 +02:00
V1D1AN
56e3a6aaf3
Update ecs-zeek-elastic-beats-implementation.yml 2021-05-16 22:53:25 +02:00
Florian Roth
691283616f
Merge pull request #1477 from wagga40/master 
Resolves #1450 - Bug in es-rule backend when using "-r" argument
 2021-05-14 09:00:30 +02:00
wagga40
534898a3ce Resolves #1450 - Bug in es-rule backend when using "-r" argument 2021-05-13 21:47:22 +02:00
wagga40
972f7a562b Updated SQL/SQLite backend tests 2021-05-13 17:51:54 +02:00
wagga40
5e99379803 Change to have raw log in rule results with SQL/SQlite Backends 2021-05-13 15:01:52 +02:00
Florian Roth
33d9d6876e
Merge pull request #1456 from wagga40/update-sql-backend 
Add a backend option to specify table name for SQL Backend
 2021-05-11 15:00:39 +02:00
Florian Roth
b655c25f7a
Merge pull request #1459 from JohnConnorRF/winlogbeat_scriptblock_logging 
Add ScriptBlockText to Winlogbeat Configs
 2021-05-11 14:59:08 +02:00
JohnConnorRF
1574d263cc Updated Winlogbeat Modules config based on: 048c3cc19b/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js (L171-L178) 2021-05-05 10:25:36 -04:00
Florian Roth
a9417b3f7b docs: better error highlighting 2021-05-05 12:59:13 +02:00
Florian Roth
0ca2d05247
revert changes to powershell backend 2021-05-05 12:26:59 +02:00
Florian Roth
55c39122e3 Merge branch 'master' into rule-devel 2021-05-05 11:56:20 +02:00
John Connor McLaughlin
3926e2388f Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html 2021-05-04 15:23:47 -04:00
Florian Roth
2f12c5c540 fix: too broad definition of *.log on linux 2021-05-03 17:04:55 +02:00
Florian Roth
a9c837659b backend: powershell: escape $ symbols in strings 2021-05-03 15:30:33 +02:00
wagga40
cc13a5e3de Add a backend option to specify table name for SQL Backend 2021-05-02 14:39:41 +02:00
Maxime Lamothe-Brassard
11982abec0 Add support for macOS rules and fix case sensitivity. 2021-04-28 16:49:59 -07:00
Max Altgelt
7c8cca744f
chore: Revert log file changes for THOR sigma configuration 
Revert recent changes for Windows / Linux .log files for THOR
because of massive performance impacts.
 2021-04-28 17:48:17 +02:00
Max Altgelt
de2cedf213
fix: Distinguish Windows and Linux logfiles by path separator 
A previous commit added a log source detailing *.log files with
product: linux. This caused linux specific Sigma rules to apply to
all *.log file, including those on Windows. To distinguish these
cases, expand the file path pattern to include the typical start
for unix / windows paths ( / vs [A-Z]:\ )
 2021-04-28 11:45:19 +02:00
Florian Roth
d24f0b8988 feat: generic registry events compatible with native audit logging 2021-04-26 09:31:36 +02:00
Florian Roth
66d0f910dd feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00
Florian Roth
08234c4620 Revert "fix: splunk for windows config errors" 
This reverts commit 13347df263.
 2021-04-25 21:52:29 +02:00
Florian Roth
d766c12888 feat: generic categories - thor config 2021-04-23 17:47:09 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
phantinuss
95fa99b4a3
search generic log files for product: linux 2021-04-23 12:00:48 +02:00
Florian Roth
64f5af4c45
Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth
13347df263 fix: splunk for windows config errors 2021-04-23 09:50:13 +02:00
Thomas Patzke
35e6e515ba
Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield 
Fix es-dsl aggregation generation when aggfield is not given
 2021-04-20 10:35:16 +02:00
Cedric Hien
2ff27aa980 Fix SyntaxWarning for 'is' on fireeye-helix backend 2021-04-17 12:55:13 +02:00
Steven
7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven
850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
herrBez
3b30a91185 Fix es-dsl aggregation generation when aggfield is not given 
Related to #542 and #543
 2021-04-06 16:41:46 +02:00
Thomas Patzke
5118be6bf6
Merge pull request #1407 from JohnConnorRF/winlogbeat_config_update 
Update winlogbeat configuration file to support File Product details
 2021-04-06 00:51:27 +02:00
Thomas Patzke
82fd5ca233
Merge pull request #1408 from roysjosh/es-rule-threshold 
Implement Elastic threshold detection rules
 2021-04-06 00:50:50 +02:00
Thomas Patzke
d789eb9c6f
Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions 
Elastic: raise an error from the base backend if a rule has multiple conditions
 2021-04-06 00:50:05 +02:00
Thomas Patzke
9606fc9c38
Merge pull request #1411 from wietze/mdatp_improvements 
Various Defender for Endpoint (mdatp) bug fixes
 2021-04-06 00:37:40 +02:00
Thomas Patzke
5f2ff99eea Replaced pip requirements with pipenv 2021-04-03 01:00:22 +02:00
Wietze
30c6d753fd
Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze
fb1bb91c3c
Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
JohnConnorRF
477f05c5f2 Added in Product entry for winlogbeat-old 2021-04-01 09:24:24 -04:00
JohnConnorRF
1f3ee87e55 Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product 2021-04-01 09:19:21 -04:00
Florian Roth
2560f40e06
Merge pull request #1406 from roysjosh/winlogbeat-mapping 
Map CommandLine appropriately
 2021-04-01 09:16:28 +02:00
Joshua Roys
7923852cc3 Elastic: raise an error from the base backend if a rule has multiple conditions 2021-03-31 16:01:05 -04:00
Joshua Roys
0448e46870 Implement Elastic threshold detection rules 
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
 2021-03-31 15:19:04 -04:00
JohnConnorRF
3fd396f4db Updated winlogbeat configuration file to support File Product details 2021-03-30 13:21:14 -04:00
Joshua Roys
30ab2aad75 Map CommandLine appropriately 
Args is an array of the exploded command line and causes many rules to misfire.
 2021-03-30 10:15:10 -04:00
Thomas Patzke
eb98f0ba28
Merge pull request #1402 from refractionPOINT/lc-support-live-wel 
Add option to support different LimaCharlie targets.
 2021-03-29 23:13:01 +02:00
Florian Roth
ac1f82f7ca
Merge pull request #1380 from iosonogio/bugfix/netwitness-null 
[bugfix] netwitness and netwitness-epl backends have incoherent null expressions
 2021-03-29 11:23:18 +02:00
Maxime Lamothe-Brassard
e0666036a4 Add option to support different LimaCharlie targets. 2021-03-24 17:58:50 -07:00
Florian Roth
7d7dd4cb67 fix: missing index field in FE helix config 2021-03-20 09:09:45 +01:00
Florian Roth
8b145e20e4 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-03-20 09:04:40 +01:00
Florian Roth
58a1ab9817 fix: wrong indentation in fireeye helix mapping 2021-03-20 09:04:38 +01:00
Florian Roth
e47ee24889
Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth
9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
Florian Roth
1fc408bfaa fix: duplicate field values in YAML configs 2021-03-20 08:49:43 +01:00
Florian Roth
6ac6b9295b
Merge pull request #1392 from hustlibraco/patch-1 
Update winlogbeat.yml
 2021-03-20 08:28:35 +01:00
albchen
42e82c95df
Updated for use with Image Load events 
Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.
 2021-03-18 15:49:25 -07:00
Codehardt
6d626456f2 fix: syntax error in THOR's config file 2021-03-17 11:49:50 +01:00
libraco
3c5624ca88
Update winlogbeat.yml 
add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml
 2021-03-15 23:54:28 +08:00
libraco
2971a08734
Update winlogbeat.yml 
add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.
 2021-03-15 23:01:07 +08:00
Thomas Patzke
f4734cd5e5
Merge pull request #1309 from WuerthIT:logsourcemerging 
functionality for parameter logsourcemerging
 2021-03-13 22:25:29 +01:00
Thomas Patzke
c13f3f1383
Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
Thomas Patzke
99c7889363
Merge pull request #1368 from roysjosh/stable-risk-scores 
es-rule: make risk scores stable
 2021-03-13 18:46:37 +01:00
vh
7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Johnny Walker
0873c57acf
Update netwitness.py 
nullExpression fixed to be really null (missing exclamation mark)
 2021-03-09 17:43:44 +01:00
Johnny Walker
4e5a9a58a5
Update netwitness-epl.py 
nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
 2021-03-09 17:41:54 +01:00
Dennis Potashnik
12cc2cade1 Moved references to binary file from custom config to stix-2.0 config 2021-03-02 12:04:22 +02:00
Dennis Potashnik
e12d710ab4 Fixed config typo 2021-03-02 11:51:46 +02:00
Joshua Roys
92fcc314bf es-rule: make risk scores stable 
Don't create unnecessary deltas between runs.
 2021-03-01 10:13:34 -05:00
Thomas Patzke
a08571be91 Merge branch 'master' of https://github.com/Neo23x0/sigma 2021-02-28 21:57:51 +01:00
Thomas Patzke
6995e6378b Added LGPL to distribution 2021-02-28 21:32:38 +01:00
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Thomas Patzke
e248012783 Release 0.19 2021-02-23 21:27:14 +01:00
Thomas Patzke
5cfd837776 Removed irrelevant type check in fieldlist backend 
Fixes issue #1351
 2021-02-23 21:15:29 +01:00
Thomas Patzke
74ae89833f Added long description to PyPI distribution 2021-02-23 21:06:25 +01:00
Dennis Potashnik
563fd3c7e2 Fixed error mapping for stix-shifter configuration 2021-02-08 17:55:03 +02:00