valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6,323 Commits 20 Branches 25 Tags 21 MiB
ae06ebcae0
Commit Graph

952 Commits

Author SHA1 Message Date
Florian Roth
66d0f910dd feat: windows native events - registry_event 2021-04-25 22:35:23 +02:00
Florian Roth
08234c4620 Revert "fix: splunk for windows config errors" 
This reverts commit 13347df263.
 2021-04-25 21:52:29 +02:00
Florian Roth
d766c12888 feat: generic categories - thor config 2021-04-23 17:47:09 +02:00
Florian Roth
c7ce9154d1
Merge pull request #1030 from stevengoossensB/master 
Updated sysmon config and rewrite rules to use categories
 2021-04-23 16:52:25 +02:00
phantinuss
95fa99b4a3
search generic log files for product: linux 2021-04-23 12:00:48 +02:00
Florian Roth
64f5af4c45
Merge pull request #1432 from SigmaHQ/rule-devel 
fix: splunk windows config, additional rule
 2021-04-23 10:30:44 +02:00
Florian Roth
13347df263 fix: splunk for windows config errors 2021-04-23 09:50:13 +02:00
Thomas Patzke
35e6e515ba
Merge pull request #1414 from herrBez/fix-542-dsl-aggregation-without-aggfield 
Fix es-dsl aggregation generation when aggfield is not given
 2021-04-20 10:35:16 +02:00
Cedric Hien
2ff27aa980 Fix SyntaxWarning for 'is' on fireeye-helix backend 2021-04-17 12:55:13 +02:00
Steven
7b679cc1f7 - Modified rules to use categories instead of hardcoded event IDs 
- Added file_delete category (Sysmon Event ID 23) to the generic translation file
 2021-04-15 01:40:31 +02:00
Steven
850a002840 Merge branch 'master' of https://github.com/SigmaHQ/sigma 2021-04-15 01:25:48 +02:00
herrBez
3b30a91185 Fix es-dsl aggregation generation when aggfield is not given 
Related to #542 and #543
 2021-04-06 16:41:46 +02:00
Thomas Patzke
5118be6bf6
Merge pull request #1407 from JohnConnorRF/winlogbeat_config_update 
Update winlogbeat configuration file to support File Product details
 2021-04-06 00:51:27 +02:00
Thomas Patzke
82fd5ca233
Merge pull request #1408 from roysjosh/es-rule-threshold 
Implement Elastic threshold detection rules
 2021-04-06 00:50:50 +02:00
Thomas Patzke
d789eb9c6f
Merge pull request #1409 from roysjosh/es-barf-on-multiple-conditions 
Elastic: raise an error from the base backend if a rule has multiple conditions
 2021-04-06 00:50:05 +02:00
Thomas Patzke
9606fc9c38
Merge pull request #1411 from wietze/mdatp_improvements 
Various Defender for Endpoint (mdatp) bug fixes
 2021-04-06 00:37:40 +02:00
Thomas Patzke
5f2ff99eea Replaced pip requirements with pipenv 2021-04-03 01:00:22 +02:00
Wietze
30c6d753fd
Removed unnecessary imports 2021-04-01 16:08:22 +01:00
Wietze
fb1bb91c3c
Apply changes to Defender for Endpoint backend 2021-04-01 16:02:06 +01:00
JohnConnorRF
477f05c5f2 Added in Product entry for winlogbeat-old 2021-04-01 09:24:24 -04:00
JohnConnorRF
1f3ee87e55 Added Product field to winlogbeat-modules-enabled.config. Note that the ECS details for Process do not include Product (https://www.elastic.co/guide/en/ecs/1.4/ecs-process.html) so winlog.event_data.Product was used instead of process.Product 2021-04-01 09:19:21 -04:00
Florian Roth
2560f40e06
Merge pull request #1406 from roysjosh/winlogbeat-mapping 
Map CommandLine appropriately
 2021-04-01 09:16:28 +02:00
Joshua Roys
7923852cc3 Elastic: raise an error from the base backend if a rule has multiple conditions 2021-03-31 16:01:05 -04:00
Joshua Roys
0448e46870 Implement Elastic threshold detection rules 
Transform supported count() aggregations (> and >=, no count field,
optionally a group by field) into a threshold detection rule.
 2021-03-31 15:19:04 -04:00
JohnConnorRF
3fd396f4db Updated winlogbeat configuration file to support File Product details 2021-03-30 13:21:14 -04:00
Joshua Roys
30ab2aad75 Map CommandLine appropriately 
Args is an array of the exploded command line and causes many rules to misfire.
 2021-03-30 10:15:10 -04:00
Thomas Patzke
eb98f0ba28
Merge pull request #1402 from refractionPOINT/lc-support-live-wel 
Add option to support different LimaCharlie targets.
 2021-03-29 23:13:01 +02:00
Florian Roth
ac1f82f7ca
Merge pull request #1380 from iosonogio/bugfix/netwitness-null 
[bugfix] netwitness and netwitness-epl backends have incoherent null expressions
 2021-03-29 11:23:18 +02:00
Maxime Lamothe-Brassard
e0666036a4 Add option to support different LimaCharlie targets. 2021-03-24 17:58:50 -07:00
Florian Roth
7d7dd4cb67 fix: missing index field in FE helix config 2021-03-20 09:09:45 +01:00
Florian Roth
8b145e20e4 Merge branch 'rule-devel' of https://github.com/SigmaHQ/sigma into rule-devel 2021-03-20 09:04:40 +01:00
Florian Roth
58a1ab9817 fix: wrong indentation in fireeye helix mapping 2021-03-20 09:04:38 +01:00
Florian Roth
e47ee24889
Merge branch 'master' into rule-devel 2021-03-20 08:52:55 +01:00
Florian Roth
9e287a1b89 feat: MSExchange Management log mapping 2021-03-20 08:49:59 +01:00
Florian Roth
1fc408bfaa fix: duplicate field values in YAML configs 2021-03-20 08:49:43 +01:00
Florian Roth
6ac6b9295b
Merge pull request #1392 from hustlibraco/patch-1 
Update winlogbeat.yml
 2021-03-20 08:28:35 +01:00
albchen
42e82c95df
Updated for use with Image Load events 
Added compatibility to add DeviceImageLoadEvents if "image_load" category is found. Also, field ImageLoaded added to the mapping.
 2021-03-18 15:49:25 -07:00
Codehardt
6d626456f2 fix: syntax error in THOR's config file 2021-03-17 11:49:50 +01:00
libraco
3c5624ca88
Update winlogbeat.yml 
add `SAMAccountName: winlog.event_data.SamAccountName` mapping for rules/windows/builtin/win_vul_cve_2020_1472.yml
 2021-03-15 23:54:28 +08:00
libraco
2971a08734
Update winlogbeat.yml 
add AccessList mapping of winlogbeat for rules/windows/builtin/win_susp_lsass_dump_generic.yml.
 2021-03-15 23:01:07 +08:00
Thomas Patzke
f4734cd5e5
Merge pull request #1309 from WuerthIT:logsourcemerging 
functionality for parameter logsourcemerging
 2021-03-13 22:25:29 +01:00
Thomas Patzke
c13f3f1383
Merge pull request #1325 from dennispo/align-simac-stixshifter 
sigmac to STIX enhancements
 2021-03-13 18:49:12 +01:00
Thomas Patzke
99c7889363
Merge pull request #1368 from roysjosh/stable-risk-scores 
es-rule: make risk scores stable
 2021-03-13 18:46:37 +01:00
vh
7eeed68fb4 Chronicle Security Backend contributed by SOC Prime. 2021-03-12 12:21:44 +02:00
Johnny Walker
0873c57acf
Update netwitness.py 
nullExpression fixed to be really null (missing exclamation mark)
 2021-03-09 17:43:44 +01:00
Johnny Walker
4e5a9a58a5
Update netwitness-epl.py 
nullExpression and notNullExpression fixed to be logically coherent and compatible with EPL syntax
 2021-03-09 17:41:54 +01:00
Dennis Potashnik
12cc2cade1 Moved references to binary file from custom config to stix-2.0 config 2021-03-02 12:04:22 +02:00
Dennis Potashnik
e12d710ab4 Fixed config typo 2021-03-02 11:51:46 +02:00
Joshua Roys
92fcc314bf es-rule: make risk scores stable 
Don't create unnecessary deltas between runs.
 2021-03-01 10:13:34 -05:00
Thomas Patzke
a08571be91 Merge branch 'master' of https://github.com/Neo23x0/sigma 2021-02-28 21:57:51 +01:00
Thomas Patzke
6995e6378b Added LGPL to distribution 2021-02-28 21:32:38 +01:00
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Thomas Patzke
e248012783 Release 0.19 2021-02-23 21:27:14 +01:00
Thomas Patzke
5cfd837776 Removed irrelevant type check in fieldlist backend 
Fixes issue #1351
 2021-02-23 21:15:29 +01:00
Thomas Patzke
74ae89833f Added long description to PyPI distribution 2021-02-23 21:06:25 +01:00
Dennis Potashnik
563fd3c7e2 Fixed error mapping for stix-shifter configuration 2021-02-08 17:55:03 +02:00
Dennis Potashnik
08ee6d7f1f deleted missed file 2021-02-08 11:44:00 +02:00
Dennis Potashnik
2b917d6f97 Merge branch 'align-sigmac-stixshifter' into align-simac-stixshifter 2021-02-08 11:40:47 +02:00
Dennis Potashnik
08c8db25e9 New configuration layout: stix2.0 for basic stix mapings, stix-shifter to match the OCA stix-shifter mappings and stix-custom for the unsupported mappings 2021-02-08 10:56:31 +02:00
Chris Brake
4aa7505b40 Updated fields to align with MS Advanced Threat Hunting Schema. Standardised and sorted fields across schemas. 2021-02-04 11:54:29 +00:00
Gregor
921ebf7445 Optimizing Qradar query generation in cases where field definitions are missing 2021-01-26 15:24:44 +01:00
Gregor
ac3730d2fa Fixing Qradar implementation for create valid AQL queries 2021-01-25 15:37:05 +01:00
k-vdv
89a4e48b0a bugfix field support 2021-01-22 09:28:23 +01:00
Florian Roth
11c216629b fix: thor sources for applocker with wrong prefix 2021-01-07 12:27:37 +01:00
Dennis Potashnik
70d14b46ef Aligning with newer stix-shifter version 2021-01-05 15:13:36 +02:00
Thomas Patzke
789dfb3f47
Merge pull request #1291 from lprat/fix_issue_1285 
fix issue 1285
 2020-12-30 23:06:38 +01:00
Thomas Patzke
675d93ee3d
Replaced string comparison with isinstance 2020-12-30 22:50:13 +01:00
Thomas Patzke
1bb0963784 Moved set_size option to class where it's used 2020-12-30 22:25:57 +01:00
Thomas Patzke
ac55c7fdd4 Merge branch 'elasticsearch_backend' of https://github.com/WuerthIT/sigma into pr-1308 2020-12-30 22:18:13 +01:00
maravedi
fa6f75f07e
Update sumologic.yml 
The commit from vihreb on October 6, 2020 (51df5ad876) removed some items from the allowed fields list for the sumologic backend (51df5ad876/tools/sigma/backends/sumologic.py (L161)) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
 2020-12-28 16:46:32 -05:00
k-vdv
6744770768 functionality for parameter logsourcemerging 2020-12-15 09:23:49 +01:00
k-vdv
7e6f01f611 elasticsearch backend: new parameter and fields support 2020-12-14 16:07:09 +01:00
Florian Roth
d1f7a206b9
Merge pull request #1289 from weslambert/master 
Fix typo
 2020-12-13 19:04:07 +01:00
Simon
97fcae56fd
Update sigmac.py 2020-12-06 20:08:00 +01:00
Simon
4a4d3e1d35
Update sigmac.py 2020-12-04 18:22:24 +01:00
Simon Hilchenbach
a40ef7360d
Add sigmac flag to delimit results by NUL instead of \n 2020-12-04 18:05:23 +01:00
Thomas Patzke
578d2f0585
Merge pull request #1283 from 404d/mdatp-fixes 
mdatp: Mapping and generic event changes, case insensitive search
 2020-11-29 21:56:17 +01:00
findthebad
ad899899ab Updated winlogbeat.yml config to include OriginalFileName 2020-11-26 14:48:14 -05:00
Helge Aksdal
3a7c114ca3 Fix field mapping for DestinationHostname 2020-11-26 04:17:28 +01:00
Thomas Patzke
0ed54a6cae
Merge pull request #1290 from arollyson/helix_backend 
Backend: FireEye Helix
 2020-11-21 00:06:19 +01:00
Lionel
7ca368d1ed
fix issue 1285 
https://github.com/Neo23x0/sigma/issues/1285
 2020-11-20 16:42:20 +01:00
Alek Rollyson
83b8af6cd2 Add FirEye Helix backend 2020-11-19 11:18:28 -05:00
weslambert
832e582b8d
Fix typo 2020-11-17 17:44:40 -05:00
Florian Roth
9944c0e563 Merge branch 'master' into pr/1267 2020-11-17 14:33:55 +01:00
Florian Roth
c5c6557ca2
Merge pull request #1256 from vastlimits/master 
Backend: uberAgent ESA converter backend
 2020-11-17 14:29:01 +01:00
heyibrahimkhan@gmail.com
eed4fe04d5 added role name field to ecs-cloudtrail. 2020-11-13 05:59:55 +05:00
Simen Lybekk
c0a7cdc3de mdatp: Use case-insensitive searches by default 
This sohuld match the draft Sigma specification as well as other backends
 2020-11-12 14:09:30 +01:00
Simen Lybekk
a75d4fb561 mdatp: Add more field mappings and table<->generic event mappings, skip IMPHASH as it's not supported 2020-11-12 13:15:38 +01:00
Sven Scharmentke
446b0b7f9d Merge branch 'master_origin' 2020-11-11 12:32:53 +01:00
Sven Scharmentke
a58d04e4df Rules: Support image_load 2020-11-11 12:31:55 +01:00
Thomas Patzke
43b9b17767
Merge pull request #1281 from andurin/kibana-ndjson-configs 
kibana-ndjson for all configs which already have kibana
 2020-11-11 07:34:37 +01:00
Florian Roth
230562bdf6
Merge pull request #1278 from K-Yo/update-navigator-v4 
Update navigator v4
 2020-11-10 13:34:46 +01:00
Florian Roth
c087e39698
Merge pull request #1277 from K-Yo/fix-unicode-error 
Fix unicode error in sigma2attack
 2020-11-10 13:34:05 +01:00
Hendrik
7e742cc049 kibana-ndjson for all configs which already have kibana 2020-11-09 08:46:17 +01:00
Hendrik
96e90fbff2 Fix recursion of rules 2020-11-06 12:43:52 +01:00
Olivier Caillault
34f24a60a1 Updating attack navigator version to v4.0 2020-11-05 23:37:01 +01:00
Hendrik
bf5d40eec3 New Backend - Kibana NDJSON 
Tested against 7.9.3
 2020-11-05 23:34:25 +01:00
Olivier Caillault
31639366cd Fix unicode error in sigma2attack 2020-11-05 22:30:12 +01:00
Jonhnathan
90e211bad8
Create ecs-suricata.yml 2020-11-01 21:21:04 -03:00
Thomas Patzke
f0e89b0c8c Fixed: typecheck in sumologig-cse 2020-10-23 19:49:55 +02:00