6093 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
frack113	b92b765f9a	Fix import to kibana error 400 severity is invalid.	2021-05-20 13:14:43 +02:00
frack113	cbb81cdf86	Fix import to kibana error 400 rish_score is null. ... rish_score is a integer. If level is invalid set to medium	2021-05-20 12:32:19 +02:00
frack113	f0974e9cf3	Fix : **false_positives** must be a array. ... If null add "Unknown". If it is a string convert to a simple array row	2021-05-20 11:20:38 +02:00
frack113	76523c5dbf	fix [#1486](https://github.com/SigmaHQ/sigma/issues/1486). ... rule_id is always an uuid now. For the rule-collection with only one uuid : - first detection get the uuid - other detection get a new uuid it is a palliative, because the secondary uuid are not kept between 2 launches. best practice is to use one uuid per detection and not files.	2021-05-20 08:42:58 +02:00
Florian Roth	18bbb2a342	Merge pull request #1490 from frack113/ElasticSearchRuleBackend ... FIx ElasticSearchRuleBackend to use uuid instead of title for the rule id	2021-05-18 20:01:25 +02:00
frack113	3b23c18f70	If not null use uuid instead of title for the rule id	2021-05-17 22:12:17 +02:00
Florian Roth	5a3af872d8	Merge pull request #1479 from SigmaHQ/rule-devel ... Rule devel, Trademark test	2021-05-15 13:42:34 +02:00
Florian Roth	9b32e72d0b	fix: syntax issue	2021-05-15 13:19:12 +02:00
Florian Roth	02bf32ce6c	fixed more legal issues	2021-05-15 13:09:08 +02:00
Florian Roth	526ab4f707	feat: trademark test case	2021-05-15 13:02:49 +02:00
Florian Roth	48757423ef	rule darkside patterns	2021-05-14 18:06:53 +02:00
Florian Roth	a655c5c1a0	update ngrok rule	2021-05-14 17:44:53 +02:00
Florian Roth	e4a1ce4498	rule: ngrok rdp port exposure	2021-05-14 17:34:52 +02:00
Florian Roth	3cf1be9e8d	rule: exchange vulnerability CVE-2021-28480	2021-05-14 10:08:41 +02:00
Florian Roth	691283616f	Merge pull request #1477 from wagga40/master ... Resolves #1450 - Bug in es-rule backend when using "-r" argument	2021-05-14 09:00:30 +02:00
Florian Roth	bd81adc998	Merge pull request #1476 from wagga40/master ... Change to have raw log in rule results with SQL/SQlite Backends	2021-05-14 08:59:57 +02:00
Florian Roth	30bee7204c	Merge pull request #1475 from wagga40/master ... Modified some field values for case sensitive backends (SQL)	2021-05-14 08:59:39 +02:00
Florian Roth	83068416fa	Merge pull request #1458 from P4rtyH4RD/P4rtyH4RD-patch-1-mitre-code ... Update powershell_suspicious_getprocess_lsass.yml	2021-05-14 08:59:14 +02:00
Florian Roth	09e32ae02e	Merge pull request #1474 from frack113/Check_category ... Check category	2021-05-14 08:58:46 +02:00
wagga40	534898a3ce	Resolves #1450 - Bug in es-rule backend when using "-r" argument	2021-05-13 21:47:22 +02:00
wagga40	972f7a562b	Updated SQL/SQLite backend tests	2021-05-13 17:51:54 +02:00
wagga40	5e99379803	Change to have raw log in rule results with SQL/SQlite Backends	2021-05-13 15:01:52 +02:00
wagga40	8944ccea04	Modified some field values for case sensitive backends (SQL)	2021-05-13 06:19:04 +02:00
frack113	cccfb3e59e	file_event is a category	2021-05-12 09:05:52 +02:00
frack113	0fd8606e00	image_load is a category	2021-05-12 09:02:04 +02:00
frack113	fa72242ff0	image_load is a category	2021-05-12 08:59:51 +02:00
frack113	ecc0fcb082	process_creation is a category	2021-05-12 08:57:57 +02:00
frack113	cf0a710b4d	process_creation is a category	2021-05-12 08:55:35 +02:00
frack113	70a5c8bb5f	registry_event is a category	2021-05-12 08:51:38 +02:00
frack113	026320f613	registry_event is a category	2021-05-12 08:36:42 +02:00
Florian Roth	33d9d6876e	Merge pull request #1456 from wagga40/update-sql-backend ... Add a backend option to specify table name for SQL Backend	2021-05-11 15:00:39 +02:00
Florian Roth	7d7f8c90ec	Merge pull request #1443 from icthieves/patch-3 ... Update win_scm_database_privileged_operation.yml	2021-05-11 15:00:20 +02:00
Florian Roth	980ea97217	Merge pull request #1444 from icthieves/patch-2 ... Update win_scm_database_handle_failure.yml	2021-05-11 15:00:09 +02:00
Florian Roth	3564cf81f9	Merge pull request #1460 from neu5ron/patch-1 ... [Add Rule] Zeek Suspicious DNS Z Flag Set	2021-05-11 14:59:48 +02:00
Florian Roth	7bc733a3cf	Merge pull request #1473 from frack113/master ... Correct the sysmon case-sensitive Key	2021-05-11 14:59:20 +02:00
Florian Roth	b655c25f7a	Merge pull request #1459 from JohnConnorRF/winlogbeat_scriptblock_logging ... Add ScriptBlockText to Winlogbeat Configs	2021-05-11 14:59:08 +02:00
Florian Roth	0fcbce9932	Merge pull request #1465 from austinsonger/win_susp_certutil_command.yml ... Got Rid of References that are no longer valid.	2021-05-11 14:32:47 +02:00
Florian Roth	85736ad859	Merge pull request #1467 from 2d4d/master ... Update av_webshell.yml	2021-05-11 14:32:11 +02:00
frack113	f07c368ae0	Correct cast-sensitive Key "OriginalFileName"	2021-05-11 11:18:01 +02:00
frack113	c4c720cc30	Correct cast-sensitive Key "OriginalFileName"	2021-05-11 11:16:12 +02:00
frack113	720dd24814	Correct cast-sensitive Key "OriginalFilename"	2021-05-11 11:13:33 +02:00
frack113	a1b0dfc0cd	Correct cast-sensitive Key "DestinationIp"	2021-05-11 10:49:10 +02:00
Florian Roth	67e807983c	Merge pull request #1470 from SigmaHQ/rule-devel ... New CS rule for malformed UAs, FP fixes	2021-05-10 13:40:27 +02:00
Florian Roth	416030a85f	rule: cobaltstrike malformed UAs	2021-05-10 12:43:14 +02:00
Florian Roth	fcb7aa3bcf	fix: FPs with rules	2021-05-10 12:42:59 +02:00
Florian Roth	270aedfd62	Merge pull request #1469 from d4rk-d4nph3/master ... Added rule for RClone usage for exfiltration	2021-05-10 10:50:35 +02:00
Bhabesh Rai	9c8b9756e5	Added rule for RClone usage for exfiltration	2021-05-10 14:06:53 +05:45
Nate Guagenti	0bee1b006f	fix - add date	2021-05-08 21:37:25 -04:00
Arnim Rupp	b9fc257124	Update av_relevant_files.yml ... added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?)	2021-05-09 00:03:47 +02:00
Arnim Rupp	ad3b829f2d	Update av_webshell.yml ... Added new strings and moved some from startwith to contains.	2021-05-08 08:49:17 +02:00