valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,126 Commits 20 Branches 25 Tags 21 MiB
bf539fd1fe
Commit Graph

828 Commits

Author SHA1 Message Date
vunx2
19d9e4856e clean Value + config 2020-02-05 17:47:35 +07:00
vunx2
579e7481c7 cleanValue + eventID list 2020-02-04 18:14:40 +07:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
1bc2c0b930 Deduplication of backend list 
Fixes issue #609. Added backend list debug output (class name).
 2020-02-03 22:16:00 +01:00
vunx2
2930df17d6 update sigma 2020-02-03 09:47:06 +07:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
vh
dc5a31aebc Updated Azure Sentinel backend 2020-01-31 17:17:24 +02:00
Thomas Patzke
7b4ec734a8 Using rule ids as Kibana object id 2020-01-30 11:30:01 +01:00
Thomas Patzke
7b62b931ce Moved ala-rule backend code into ala backend module 2020-01-13 11:24:46 +01:00
Thomas Patzke
de690cbfbf Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-01-13 11:19:39 +01:00
neu5ron
d8b703462d fix name of network_initiated 2020-01-13 00:12:04 -05:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Maxime Lamothe-Brassard
a3ad7cb1c5 Fixed actual event tag 2019-12-30 18:15:12 -08:00
Maxime Lamothe-Brassard
9b32086d92 Mapping OriginalFileName to event/INTERNAL_NAME now that it's available. 2019-12-30 15:58:18 -08:00
SOC Prime
92bc96a308
Update ala-rule.py 2019-12-30 16:26:30 +02:00
vh
f2117f798a Fix ala-rule 2019-12-30 16:24:08 +02:00
SOC Prime
f015c97dff
Update ala-rule.py 2019-12-30 16:13:27 +02:00
vh
f9570a48cb Azure Sentinel backend (ala) - Fixed path in query 
Added new backend Azure Sentinel Rule (ala-rule)
 2019-12-30 16:11:53 +02:00
vh
d42409372c Azure Sentinel backend (ala) - Fixed path in query 
Added new backend Azure Sentinel Rule (ala-rule)
 2019-12-30 16:09:19 +02:00
fuseyjz
0b2f88d5df
Sigma converter for SQL format 
Get the converted SQL query after the WHERE statement for any filtering on SQL platform.

Example:
https://github.com/fuseyjz/sigma-sql/blob/master/README.md
 2019-12-24 10:42:25 +08:00
christophetd
e99b0fe2d7 Add sigma2attack 2019-12-19 00:00:13 +01:00
Thomas Patzke
d2a940a0a6 Merge branch 'devel' of https://github.com/Neo23x0/sigma 2019-12-13 22:01:40 +01:00
Thomas Patzke
ee4138c48e
Merge pull request #526 from zouzias/hotfix_aggregate_count_distinct_groupby 
[feature] extend es-dsl to support nested aggregations
 2019-12-13 21:55:47 +01:00
Thomas Patzke
a25b2ec361
Merge pull request #523 from refractionPOINT/lc-added-mtd 
LC added FP metadata
 2019-12-13 21:50:52 +01:00
Thomas Patzke
b701e9be50 Added ECS proxy configuration 2019-12-09 16:34:07 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
51e9689425 Sigmatool release 0.15.0 2019-12-06 22:13:44 +01:00
Maxime Lamothe-Brassard
27bb07b74e Adding support for basic proxy rules using the HTTP_REQUEST events from the Chrome LC Agent. 2019-12-05 09:35:09 -08:00
Lep
60997b47b2 moreEventID 2019-11-28 21:34:52 +07:00
Lep
412dfc4f05 Merge branch 'master' of http://git.security.fis.vn/VuNX2/sigma 2019-11-28 17:38:57 +07:00
Lep
738008b52b requiment 2019-11-28 17:38:05 +07:00
Nguyen Xuan Vu
042d078ee1 Update requirements.txt 2019-11-28 05:26:09 -05:00
Lep
158ffd2f0c requiment 2019-11-28 17:23:05 +07:00
Lep
37257170dd postAPI 2019-11-28 16:01:24 +07:00
Lep
d08ff35222 postAPI 2019-11-28 11:45:49 +07:00
Maxime Lamothe-Brassard
61bcc46394 Prettier formatting of YAML. 2019-11-18 14:50:41 -05:00
Maxime Lamothe-Brassard
9eed57ee1d Adding the "falsepositives" field to the LC metadata. 2019-11-15 08:30:41 -05:00
Anastasios Zouzias
3c7f522017 add .keyword on aggs; add extra unit test 2019-11-14 14:34:50 +01:00
Thomas Patzke
cf22e9e576 Added hint on failed UUID check 2019-11-12 23:37:28 +01:00
Thomas Patzke
ca53e937d9 Removed sigma.output from setup packages 2019-11-12 23:11:39 +01:00
Thomas Patzke
3828f4a95c Merge branch 'uuid' into assign-ids 2019-11-12 22:46:54 +01:00
Thomas Patzke
0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Anastasios Zouzias
e7ed0fa9ea added unit test 2019-11-12 14:06:10 +01:00
Anastasios Zouzias
324005a126 [feature] extend es-dsl to support nested aggregations 2019-11-12 11:46:43 +01:00
Thomas Patzke
6d62d426c9 Added sigma-uuid tool 
* Moved SigmaYAMLDumper to new sigma.output module
 2019-11-11 23:35:16 +01:00
Florian Roth
e2628d6df6 fix: wrong mapping on thor.cfg 2019-11-11 09:20:20 +01:00
Thomas Patzke
feb836cbf2 Sigmatools release 0.14 2019-11-10 00:09:59 +01:00
Florian Roth
faeccf0c3d Merge branch 'master' into devel 2019-11-09 22:42:16 +01:00
Florian Roth
a0beda240c fix: fixed wrong field mapping in windows-audit source config 2019-11-09 22:42:00 +01:00
Thomas Patzke
2222550b6e Allow ignore of type errors with sigmac -I 2019-11-08 23:56:39 +01:00
Thomas Patzke
8f1974d7d3 Added regular expression support in es-dsl backend 2019-11-08 23:56:39 +01:00
Thomas Patzke
465e41bfbb Added regular expression support in es-dsl backend 2019-11-08 22:31:02 +01:00
Thomas Patzke
5d995ad704 sigma-similarity: primary rule set for restriction of comparison 2019-11-08 21:15:13 +01:00
Thomas Patzke
ef14ee542d Added modifiers: startswith and endswith 2019-11-05 23:04:13 +01:00
Maxime Lamothe-Brassard
1b9054c1f3 Adding some comments 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
b7018bcd4a Adding a post-mapper mechanism to fix some common issues in Sigma rules to LC. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
c2e621cf08 Fixing another edge case with string escape. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
0c6b9e532b Remove debugging statement 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
6f2f1d2bd7 Add ability to map fields and values based on callbacks. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
0b9a3f3a08 Refactor to better support keyword fields. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
9aedb8f764 Adding another exception case to get more "contains" shortcuts instead of REs. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
102ab3081b Fix the convertion from simple wildcard strings to a full regular expression so that it is always correct. The previous solution just mostly-worked. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
e52f29dda9 Fix matches operator field set to value instead of re. 2019-11-05 08:38:06 -05:00
Thomas Patzke
54c75167ce Default configurations for backends 2019-11-03 23:32:50 +01:00
Thomas Patzke
4f19ef5708 Graylog backend now derived from es-qs 
Technically, Graylog is ES. Fixes and improvements for ES didn't
propagate to Graylog, now they do.
 2019-11-02 22:56:01 +01:00
Thomas Patzke
8af2b70594 Restrict search not bound to fields to keyword fields 2019-11-02 22:55:04 +01:00
Thomas Patzke
c9eb921f68 ConditionAND/OR constructor now allows arbeitrary number of operands 2019-11-02 22:54:35 +01:00
Thomas Patzke
2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Maxime Lamothe-Brassard
f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard
2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Maxime Lamothe-Brassard
a7003c2aa3 Adding support for "unix", looking like a mistake by the creator. 2019-10-27 15:55:12 -05:00
Maxime Lamothe-Brassard
d019cef439 Ading a bit more of early support for netflow and some linux exe. 2019-10-27 15:48:28 -05:00
Maxime Lamothe-Brassard
a57a7b58cf Added conceptial support for aliasing keyworkds to a specific field depending on the log source. 2019-10-27 15:28:54 -05:00
Maxime Lamothe-Brassard
60b20a76a6 Fixing handling of unsupported sources. 2019-10-27 12:37:06 -05:00
Maxime Lamothe-Brassard
0fe72d6133 Emit error on full-text searches not being supported. 2019-10-27 12:26:36 -05:00
Maxime Lamothe-Brassard
f43300af8e Fix the top level pre-condition for Windows Event Logs on LC. 2019-10-27 12:17:15 -05:00
Maxime Lamothe-Brassard
91e48d8c1b Adding setup links and fixing test that would crash Not node, but not seen in prod rules. 2019-10-27 11:56:32 -05:00
Maxime Lamothe-Brassard
8d866b0868 Adding comments. 2019-10-26 17:37:13 -05:00
Maxime Lamothe-Brassard
bc5e9bd03a Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report. 2019-10-26 17:30:40 -05:00
Maxime Lamothe-Brassard
8cc3990aef Extending support for more random rules with odd names. 2019-10-26 16:59:33 -05:00
Maxime Lamothe-Brassard
4d65b62063 Adding support for generating rules for Windows builtin category for use in the External Logs of LC. 2019-10-26 16:30:50 -05:00
Maxime Lamothe-Brassard
30cc7ee809 Refactor mappings into a flat structure to account for missing parameters in some combinations. 2019-10-26 16:09:39 -05:00
Maxime Lamothe-Brassard
77329714c5 Adding service to indirection of mappings since it will be used for Windows Event Logs. 2019-10-26 16:06:42 -05:00
Maxime Lamothe-Brassard
823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard
bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
Thomas Patzke
30948b9c1a Added sigma-similarity tool 
Fixed also bug in backend base class that was triggered by the way
backends are used by this tool.
 2019-10-25 21:59:03 +02:00
gsanm
150afd816d IP Clean 2019-10-22 17:49:50 +07:00
Thomas Patzke
8a545b973b Sigmatools release 0.13 2019-10-21 11:58:26 +02:00
lep
1c5816b214 update carbonblack module 2019-10-18 17:51:31 +07:00
lep
7219e0b0f1 module carbonblack 2019-10-18 14:04:38 +07:00
Thomas Patzke
fc276612b6 Added encoding modifiers 2019-10-16 23:52:06 +02:00
Steven Goossens
6a1a96a918 Implement mapping when selecting the fields for the AQL query. This was not being done correctly 2019-10-16 16:37:09 +02:00
Steven Goossens
2837d3ba74 Added the cleanValue function for Qradar 2019-10-16 10:27:24 +02:00
Thomas Patzke
849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00
Thomas Patzke
95c8d25858 Improved --backend-config help text 2019-10-07 22:30:57 +02:00
neu5ron
a729cc7905 create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion 2019-10-01 10:16:42 -04:00
neu5ron
f7fd936433 update HELK config taxonomy/mapping for sigmac conversion 2019-10-01 10:14:54 -04:00
Thomas Patzke
d4f89ebc1c Aggregation on keyword field in es-dsl backend 
* Fixes #452
* Further fixed reference to count in restriction of results
 2019-09-29 23:18:17 +02:00
Florian Roth
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin 
rule: user added to local administrator: handle non english systems b…
 2019-09-25 17:29:41 +02:00
Thomas Patzke
19f431b6d2 Changed xpack-watcher dateField default to previous value 2019-09-12 00:19:58 +02:00
ecco
4c5eab88b6 add GroupSid to other configs 2019-09-11 04:53:30 -04:00
herrBez
8f612f743c Use config dateField in xpack watcher to determine 
datefield name as in elasticsearch dsl backend
 2019-09-11 09:38:03 +02:00
ecco
5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
Thomas Patzke
c80cb418cd Improved QRadar regular expression support 2019-09-05 15:35:26 +02:00
Thomas Patzke
30b6db8299 Fixed ES backend keyword field mapping wildcard match pattern 2019-09-05 12:55:10 +02:00
Thomas Patzke
3b1cbe529e Elasticsearch keyword field name blacklisting with wildcards 2019-09-05 12:38:32 +02:00
Thomas Patzke
2a60c71b9d
Merge pull request #437 from svent/qradar_regex_modifier 
QRadar backend: add support for re type modifiers
 2019-09-05 10:30:18 +02:00
Thomas Patzke
de5e2045f0
Merge pull request #428 from stevengoossensB/master 
AQL field selection from signatures
 2019-09-05 10:28:02 +02:00
Thomas Patzke
37e179b6a7
Merge pull request #390 from juju4/devel-sumo2 
sumologic backend: fix index and full mapping coverage
 2019-09-05 10:27:19 +02:00
svent
467c8f694c QRadar backend: add support for re type modifiers 2019-09-03 22:55:48 +02:00
Steven Goossens
cb088e4911 Remove quotes from around the fields to make the query semantically correct 2019-08-26 12:43:26 +00:00
Steven Goossens
ad19f05e2c Include mapped names rather then signature names 2019-08-26 12:06:20 +00:00
Steven Goossens
37caccd52e Includes the trial condition so generic query is generated whenever the fields are not defined 2019-08-26 11:48:40 +00:00
Steven Goossens
895682aef2 Implementing the fields to be selected 2019-08-26 10:57:43 +00:00
agold
0984293d0c Support for Malicious cmdlets in ATP 2019-08-20 14:33:08 -07:00
svent
1ea6d00a39 Fix QRadar field name escaping and handling 2019-08-12 23:47:43 +02:00
svent
826c1e3942 Fix QRadar backend config 2019-08-12 23:47:43 +02:00
Michiel Meersmans
0708fdd28e Correctly escape slashes within es-dsl wildcard queries 2019-08-07 12:56:19 +02:00
Florian Roth
9c85d5e80f
Merge pull request #406 from tuckner/master 
Fix ala parsing issues
 2019-08-06 10:28:07 +02:00
Thomas Patzke
940c36a4cd Fixed build 
Missing package specification
 2019-08-05 23:42:33 +02:00
Thomas Patzke
d5885686fc Sigmatools release 0.12 
* Value modifiers
* Config name cleanup
 2019-08-01 23:45:07 +02:00
Thomas Patzke
805c739611 Merge branch 'devel-modifiers' 2019-07-31 23:44:10 +02:00
Thomas Patzke
31c6ffcb61 No escaping for typed values 2019-07-31 23:43:29 +02:00
tuckner
8f2f1922c6
Merge pull request #1 from Neo23x0/master 
update fork
 2019-07-27 21:27:52 -05:00
Thomas Patzke
8a3117d73e Nested list handling for chained value modifiers 2019-07-16 23:03:19 +02:00
Thomas Patzke
6881967889 Further modifiers 
* base64
* base64offset
 2019-07-16 00:00:35 +02:00
Thomas Patzke
1bb29dca26 Implemented type modifiers and regular expressions 2019-07-15 22:52:10 +02:00
Thomas Patzke
b9ff280209 Cleanup of configuration names 2019-07-14 00:50:15 +02:00
Thomas Patzke
5489f870cc
Merge pull request #393 from HacknowledgeCH/master 
Explicit OR for list elements
 2019-07-13 23:11:44 +02:00
Thomas Patzke
134bfebe57 Ignore "timeframe" detection keyword in "all/any of" conditions 
Fixes #395
 2019-07-13 00:35:35 +02:00
christophetd
576912eb7a Support OR queries for Elasticsearch 6 and above 2019-07-08 17:12:53 +02:00
juju4
10290beb54 config/sumologic: more index mappings 2019-07-06 12:42:12 -04:00
juju4
7b0cace217 config/sumologic: more index mappings 2019-07-06 12:42:05 -04:00
juju4
2b5a77db53 add sumologic _sourceCategory and _view in aFL 2019-07-06 12:41:56 -04:00
juju4
b358d38e68 _index in aFL and mappings working! 2019-07-06 12:41:40 -04:00
Florian Roth
f7ba2b3976 fix: bug in sumologic backend with 'null' values 2019-07-02 22:31:10 +02:00
Thomas Patzke
337681cfce Value modifiers 
* First transformation modfiers: contains, all
* Sigma converter modifier list
 2019-06-30 23:41:28 +02:00
Thomas Patzke
161965d14c Added version information to Winlogbeat configs 2019-06-30 22:44:12 +02:00
herrBez
74021d53d8 Modified winlogbeat config to adhere to winlogbeat 7 field names breaking changes 
ref: https://www.elastic.co/guide/en/beats/libbeat/current/breaking-changes-7.0.html
 2019-06-30 12:13:21 +02:00
Thomas Patzke
6fab5d7f23 Improved testing and removed dead&debug code 2019-06-29 00:09:53 +02:00
Thomas Patzke
377872c91e Merge branch 'devel-sumo' of https://github.com/juju4/sigma into juju4-devel-sumo 2019-06-28 23:39:15 +02:00
Thomas Patzke
0c7151c901 Watcher backend default options, refactoring and testing 2019-06-28 23:22:16 +02:00
Adrian Constantin Stanila
feac0be8a4 Added 2 more actions on Elasticsearch X-pack Watcher: index and webhook 
Added timestamp filter query.
 2019-06-27 08:54:59 +03:00
juju4
654a009c9e sumologic backend: remove TypeError 2019-06-22 16:49:46 -04:00
juju4
559d0f4ba8 sumologic backend: force as string 2019-06-22 16:43:50 -04:00
juju4
2df0e9765c sumologic backend: pycodestyle review - E501 2019-06-22 16:41:57 -04:00
juju4
49533a5909 sumologic backend: pycodestyle review 2019-06-22 16:39:13 -04:00
juju4
84de12635e self.debug option, fix multiple keyvalue escapings/cleanValue, inline index for now 2019-06-22 16:19:45 -04:00
juju4
a11d800353 Merge branch 'master' into devel-sumo 2019-06-22 09:18:23 -04:00
Thomas Patzke
f4da0c5540 Added field SecurityID to Winlogbeat config 2019-06-19 23:35:50 +02:00
Thomas Patzke
f271685f59
Merge pull request #372 from dvas0004/patch-2 
Addition of KeyLength field
 2019-06-19 23:28:31 +02:00
Thomas Patzke
d82df83ef1
Merge pull request #369 from TareqAlKhatib/refactors 
Refactors
 2019-06-19 23:16:19 +02:00
David Vassallo
fdce7ad9bf
Addition of KeyLength field 2019-06-14 17:58:47 +03:00
Thomas Patzke
5715413da9 Usage of Channel field name in ELK Windows config 2019-06-11 13:15:43 +02:00
John Tuckner
3529b717cb fixed backend errors in ala 2019-06-10 09:25:59 -05:00
Tareq AlKhatib
d61a971874 Minor refactors 2019-06-10 09:55:52 +03:00
Thomas Patzke
8a0f706cca Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-05-30 23:24:37 +02:00
Thomas Patzke
1986bcb843 Sigma tools release 0.11 2019-05-30 22:56:38 +02:00
Thomas Patzke
673973e523
Merge pull request #357 from agix/es_dsl_bug 
fix missing condition when unique plus timeframe
 2019-05-30 22:42:09 +02:00
Thomas Patzke
8023011bb1 Merge branch 'elastalert_dsl_backend' of https://github.com/agix/sigma into agix-elastalert_dsl_backend 2019-05-30 22:33:57 +02:00
Florian GAULTIER
89c1d7b63d Wrong fix, self.queries should be emptied after copied to rule_object 2019-05-29 16:10:14 +02:00
Florian GAULTIER
748ac2e206 Dont combine multiple queries 2019-05-29 16:05:53 +02:00
Thomas Patzke
04d91573f3
Merge pull request #355 from agix/allow_empty_keyword 
Allow empty keyword_field
 2019-05-28 21:45:55 +02:00
Thomas Patzke
2ecc55c13f
Merge pull request #351 from ipninichuck/master 
added metadata field to the watcher alert
 2019-05-28 21:42:27 +02:00
Florian GAULTIER
d866e75750 Be sure there is a key in the single condition 2019-05-27 17:27:16 +02:00
Florian GAULTIER
e8a7c5f7b9 fix missing condition when unique plus timeframe 2019-05-27 17:22:28 +02:00
Florian GAULTIER
6bf010fb4b introduce elastalert-dsl 
(cherry picked from commit 0235ec23200e62766d9f21fbd26ed834991a0b61)
 2019-05-27 17:18:19 +02:00
Florian GAULTIER
4168c0ec64 Allow empty keyword_field 2019-05-27 15:08:33 +02:00
Thomas Patzke
36ba9f78da Improved message if configuration is missing 2019-05-27 13:18:36 +02:00
Thomas Patzke
38f3966751 Changed backend list formatting to new method 2019-05-26 22:58:14 +02:00
Thomas Patzke
eb9564557e Moved generic class discovery code into new tools module 2019-05-26 22:29:07 +02:00
Thomas Patzke
84690280c5 Improved behavior on missing configuration 
Listing all configus usable with chosen backend
 2019-05-24 22:41:47 +02:00
ipninichuck
75ec169d5c
added metadata field to the watcher alert 
While utilizing Kibana to track watches directly from the watch index it became quickly apparent that useful metadata was not available. In my project's case it was the title, description and tags from the sigma rule. By adding them to the metadata field it makes it easier to utilize them in visualizations of the watches themselves. In the future perhaps the contents of the metadata field could be given as an option for each user.
 2019-05-22 04:30:47 -07:00
Thomas Patzke
194afa739f Generate rule name for each condition 
In backends kibana and xpack-watcher.

Fixes #329
 2019-05-21 00:36:19 +02:00
Thomas Patzke
af0bd1b082 Removed debug code from backend option handling 
Additionally: code simplification
 2019-05-21 00:21:52 +02:00
Thomas Patzke
97541ac267 Added -C shortcut for --backend-config 2019-05-21 00:15:01 +02:00
Thomas Patzke
7e163d71eb Added option to use old URL in xpack-watcher backend 2019-05-21 00:01:21 +02:00
Thomas Patzke
4e63e925cf Merge branch 'patch-1' of https://github.com/lliknart/sigma into lliknart-patch-1 2019-05-20 23:43:49 +02:00
Thomas Patzke
11ed7e7ef8 Check for valid configuration/backend combinations 2019-05-20 01:00:33 +02:00
Thomas Patzke
e271484eef Load configurations via new config management 2019-05-20 00:27:35 +02:00
Thomas Patzke
3d20e0bc98 Sigma configuration management with listing 
Missing:
* Use config by identifier
 2019-05-17 09:13:59 +02:00
Thomas Patzke
71ff6bd943 Catch type errors in configuration handling 2019-05-16 23:34:44 +02:00
Thomas Patzke
36aeb19721 Added title to all configurations 2019-05-16 23:33:51 +02:00
lliknart
f86342012a
Update elasticsearch.py 
From ElasticSearch 7.0, the URI to access to Watcher API changes

Deprecation: [PUT /_xpack/watcher/watch/{id}] is deprecated! Use [PUT /_watcher/watch/{id}] instead.
 2019-05-16 16:17:57 +02:00
Florian Roth
a6d2a5d79b fix: more general fixes of the var type issue 2019-05-15 21:25:53 +02:00
Florian Roth
9f1bbb0a0d fix: missing type check in WDATP backend 2019-05-15 21:20:20 +02:00
Thomas Patzke
526468bec3
Merge pull request #298 from christophetd/elastalert-allow-rules-without-http-post-url 
Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time
 2019-05-10 00:31:33 +02:00
Thomas Patzke
a361664ed2
Merge pull request #318 from HacknowledgeCH/es-qs-not-parenthesis-fix 
Correct parenthesization for NOT expressions in the ES-QS backend
 2019-05-10 00:14:29 +02:00
Thomas Patzke
763939a8ca Hide --shoot-yourself-in-the-foot 2019-04-25 23:42:13 +02:00
Thomas Patzke
eb022f3908 Conditional field mapping for null values 
Fixes #326
 2019-04-25 23:24:05 +02:00
Thomas Patzke
cfb4f32651 Backend es-dsl tolerates rules without title and log source 2019-04-25 22:41:31 +02:00
Codehardt
17ae9ea91c Renamed spark config in setup.py 2019-04-25 09:56:29 +02:00
Codehardt
8cf505fcb3 Accidentally removed windows-dhcp logsource in spark's config file 2019-04-25 08:23:48 +02:00
Codehardt
79f7edb6b4 Added logsources for generic sigma rules to spark config, renamed spark config to thor config 2019-04-25 08:15:50 +02:00
Thomas Patzke
6918784e87 Configuration order checking 2019-04-23 00:54:10 +02:00
Thomas Patzke
c90d3e811e Formatted error code definitions 2019-04-23 00:53:52 +02:00
Thomas Patzke
e9af99c147 Completed error codes 2019-04-23 00:52:31 +02:00
Thomas Patzke
d0bd8a2a41 Mandatory configuration for most backends 2019-04-22 23:40:21 +02:00
Thomas Patzke
34c426a95b Moved error codes to constants defined centrally 2019-04-22 23:15:35 +02:00
christophetd
4e16bbafa8 Correct parenthesization for NOT expressions in the ES-QS backend 2019-04-16 10:30:18 +02:00
Thomas Patzke
5194e8778c Fail on missing target selection 2019-04-14 23:50:07 +02:00
Florian Roth
6351c5a350 Sigma ATT&CK coverage by @jmallette 2019-04-11 18:27:52 +02:00
Jon
cd456a1d2b initial SIGMA ATTACK Navigator layer release 2019-04-09 22:49:28 -04:00
juju4
152febcea2 sumologic: fixing non-pushed cleannode() 2019-04-07 13:04:15 -04:00
christophetd
d32e5c10b8 Allow generating Elastalert rules with the http_post alert type without specifying a URL at generation time 2019-04-03 17:22:58 +02:00
Thomas Patzke
0419ff215a Fixed quoting of single quotes in grep backend 2019-04-01 23:22:05 +02:00
Thomas Patzke
140a32d8c9 Sigma tools release 0.10 2019-03-16 01:02:48 +01:00
Thomas Patzke
2dda9a7b77 Moved Sysmon schema XML from contrib directory into module 2019-03-16 00:59:29 +01:00
Thomas Patzke
5e973a6321 Fixes and CI testing of --backend-config 2019-03-15 23:46:38 +01:00
Thomas Patzke
0864d05aa5 Merge branch 'backend-config-file' of https://github.com/christophetd/sigma into christophetd-backend-config-file 2019-03-15 23:35:11 +01:00
Thomas Patzke
3f7e08733a Added backend option 'sysmon' for ala backend 2019-03-15 23:26:15 +01:00
Thomas Patzke
8d1723e65c Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master 2019-03-15 23:06:08 +01:00
John Tuckner
a1ba04aec8 modified process creation logic 2019-03-08 00:01:43 -06:00
Thomas Patzke
a429f09cc1 Merge branch 'elastalert-alert-types' of https://github.com/christophetd/sigma into christophetd-elastalert-alert-types 2019-03-07 23:54:05 +01:00
tuckner
e9ddd933f8 more fixes for process creation 2019-03-07 16:28:35 -06:00
John Tuckner
5a64f572e3 update 2019-03-07 10:32:59 -06:00
John Tuckner
283bd278f4 added eventid to sysmon process creation 2019-03-05 20:58:23 -06:00
John Tuckner
971bd49071 accomodated process creation and slash escapes 2019-03-05 20:50:30 -06:00
tuckner
cf186387af Added schema file checking 2019-03-04 11:53:51 -06:00
tuckner
c5796d7853 Added Azure Log Analytics backend 2019-03-04 10:49:50 -06:00
tuckner
8179d182c4 added azure log analytics 2019-03-04 10:44:45 -06:00
Thomas Patzke
99b15edf8a Sigma tools release 0.9 2019-03-02 00:47:03 +01:00
Thomas Patzke
56a1ed1eac Merge branch 'project-1' 2019-03-02 00:26:10 +01:00
Thomas Patzke
7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
 2019-03-02 00:14:20 +01:00
Thomas Patzke
690807c846 Sigma tools release 0.8 2019-02-28 09:08:22 +01:00
Thomas Patzke
c922f7d73f Merge branch 'master' into project-1 2019-02-26 00:24:46 +01:00
christophetd
1a6faf385c Add HTTP POST alert type to the Elastalert backend 2019-02-23 14:12:14 +01:00
christophetd
3a7160d52b Accept backend options from a configuration file (closes #213) 2019-02-23 13:20:20 +01:00
Thomas Patzke
9ef314486e Grep backend escapes + 2019-02-19 14:49:06 +01:00
Florian Roth
004497075d fix: spark source config bug 2019-02-12 23:27:38 +01:00
Thomas Patzke
01dfc23a26
Merge pull request #234 from juju4/devel-sumo 
Sumologic support update
 2019-02-09 23:54:23 +01:00
Thomas Patzke
5866d8eb71
Merge pull request #238 from sisecbe/patch-1 
Adapt count function when aggfield not present
 2019-02-09 23:38:20 +01:00
juju4
4429d7564f remove 'escape' of '_' - not needed 2019-02-09 12:57:43 -05:00
juju4
a815b7eb9b add custom cleanValue function for wildcards in keyvalue: OK with lists, NOK with string 2019-02-09 12:57:07 -05:00
neu5ron
046510f021 updated HELK Destination IP name 2019-02-05 13:11:06 -05:00
sisecbe
5d94b9f0bc
Changed stats to eventstats 
Changed 'stats' to 'eventstats' when using aggregation, this keeps the original data of the event in the result.
 2019-02-05 17:36:46 +01:00
sisecbe
2f5eb08b41
Adapt count function when aggfield not present 
When no field is present, use "count" , when field is present use "dc(field)". As described in the Sigma specifications.
Splunk throws errors when using "count()" with empy fields. use "count" instead.
 2019-02-05 15:44:05 +01:00
Florian Roth
a276d3083d DHCP log source in sigmac configs 2019-02-05 14:35:23 +01:00
juju4
7d159fb980 sumologic backend: review with inspiration from arcsight 2019-02-03 12:53:58 -05:00
Thomas Patzke
6215a694a8 Remove escaping from '\\*' in es-dsl backend 2019-02-02 23:51:11 +01:00
Thomas Patzke
8a0784ad33 Fixed escaping of \\* 2019-02-02 00:18:58 +01:00
Thomas Patzke
516bfc88ff Added rule: RDP login from localhost 2019-01-28 22:43:22 +01:00
Thomas Patzke
3eaf83cf5a Improved configurations 
Added Security/4688 field mappings
 2019-01-16 23:37:18 +01:00
Thomas Patzke
ba64f485ac Added generic Windows audit log configuration 2019-01-16 22:41:42 +01:00
Thomas Patzke
4bc4c94a91 sigma2genericsigma: preserve dict order 2019-01-16 22:37:32 +01:00
Thomas Patzke
2fd88c837d Added generic sigma rule support to WDATP backend 
* Process creation rules
 2019-01-14 23:54:05 +01:00
Thomas Patzke
4e83bfeb16 Fixed merge bugs 2019-01-14 22:54:26 +01:00
Thomas Patzke
a9cf14438c Merge branch 'master' into project-1 2019-01-14 22:36:15 +01:00
Thomas Patzke
8336b47530 Merge branch 'master' of https://github.com/Neo23x0/sigma 2019-01-14 22:12:37 +01:00
Thomas Patzke
cc4b806b94 Sigma tools release 0.7.1 2019-01-14 00:26:03 +01:00
Thomas Patzke
5cba0b9946
Merge pull request #223 from m0jtaba/master 
extending the qradar backend to allow for timeframe query
 2019-01-13 23:55:55 +01:00
Thomas Patzke
7634128143 Generate list of converted file in conversion to generic rules 2019-01-13 23:53:11 +01:00
Thomas Patzke
e585858128 Optimization in conversion to generic rules 
* only create necessary output files in directory output mode
* delete empty detections and empty detection sections
* Merge equal documents
* Merge reduced collections into one YAML document in common case
 2019-01-13 23:45:11 +01:00
Mo Amiri
aa37ef2559 extending the qradar backend to allow for timeframe query 2019-01-11 03:33:49 +00:00
Adrien Vergé
44f18db80d Fix YAML errors reported by yamllint 
Especially the config for ArcSight, that was invalid:

    tools/config/arcsight.yml
      89:5      error    duplication of key "product" in mapping  (key-duplicates)
      90:5      error    duplication of key "conditions" in mapping  (key-duplicates)

    rules/windows/builtin/win_susp_commands_recon_activity.yml
      10:9      error    too many spaces after colon  (colons)
 2019-01-10 09:51:39 +01:00
Thomas Patzke
9f56b9e99b Output all YAML documents if one changed 
Some Sigma rule collections contain YAML documents that reduce to almost
nothing because they only contain EventID definitions. Previous behavior
would filter the part with the remaining selection.
 2019-01-08 23:27:16 +01:00
Thomas Patzke
bf9a567afd Fixed issues in converter 2019-01-06 23:57:09 +01:00
Thomas Patzke
faeaf1dfef Added first version of generic sigma rules conversion tool 2019-01-06 23:46:23 +01:00
Thomas Patzke
73b0c3a25b Fixed wildcard issue for es-dsl backend 
Moved field mapping code into mixin shared by es-qs and es-dsl.
 2018-12-21 14:10:45 +01:00
Thomas Patzke
75c7d65240
Merge pull request #211 from Cyb3rWard0g/master 
Field-Index Mapping File & SIGMA Rules Field names fix
 2018-12-19 00:38:06 +01:00
Thomas Patzke
ffd43823cf Fixed wildcard issue in es-qs backend and depending 
See GitHub issue #194. Fix for es-dsl is pending.
 2018-12-19 00:33:12 +01:00
Roberto Rodriguez
a0486edeea Field-Index Mapping File & SIGMA Rules Field names fix 
+ Updated HELK field-index mapping file
+ After going through all the fields with 'fieldlist' output, I found a few rules that fixed.
 2018-12-11 09:27:26 +03:00
Thomas Patzke
68866433e8 Merge branch 'juju4-devel-sumo' 2018-12-10 22:37:58 +01:00
Thomas Patzke
4175d0cdd5 Fixed config and added index field 
* Added index field _index to backend implementation
* Fixed index values in config
 2018-12-10 22:37:39 +01:00
Roberto Rodriguez
93d1d700d4 Merge remote-tracking branch 'upstream/master' 2018-12-10 07:04:30 +03:00
juju4
1f707cb37c Adding Sumologic backend 2018-12-09 17:55:51 -05:00
Thomas Patzke
2091c90538 Fixed ElastAlert *_key options 
* Always use .keyword field instead of analyzed one
* Fixed 'null' value if group field was not set
 2018-12-09 22:33:23 +01:00
Roberto Rodriguez
8c577a329f Improve Rule & Updated HELK SIGMA Standardization Config 
Rule should be focusing on the 'process_command_line' field and not just on any value of any event generated by powershell.exe.

SIGMA HELK standardization config updated to match latest HELK Common Information Model
 2018-12-08 11:30:21 +03:00
Thomas Patzke
246ad7c59a Revert "Fixed wildcards in es-qs backend" 
This reverts commit 49d464f979.

The partial fix for issue #194 broke the generation of many other rules,
see #203.
 2018-12-05 09:07:07 +01:00
Thomas Patzke
f9d9d653dc
Merge pull request #199 from sisecbe/patch-1 
Distinct count in aggragation function
 2018-12-04 23:42:16 +01:00
Florian Roth
2bf0170956
Merge pull request #202 from tuckner/master 
Fixed backslash escape
 2018-12-03 22:22:53 +01:00
tuckner
2c5c92ab0a fixed backslash escape 2018-12-03 15:09:29 -06:00
Thomas Patzke
0a5caae5df Merge branch 'master' of https://github.com/lsoumille/sigma into lsoumille-master 2018-11-28 23:53:15 +01:00
Florian Roth
99e0a4defb fix: SPARK config duplicate identifier 2018-11-27 14:05:13 +01:00
lsoumille
50c74b94bc add elastalert backend support 2018-11-23 20:39:15 +01:00
sisecbe
c848c473a3
Error when empty fields attribute 2018-11-23 15:37:42 +01:00
sisecbe
31eae25756
Indentation error 2018-11-23 15:20:17 +01:00
sisecbe
e43909678e
Added the fields attribute parser 
Make a table with the fields present in the fields attribute
 2018-11-23 15:11:12 +01:00
sisecbe
c2eb87133d
Distinct count in aggragation function 
Added dc() instead of count() when group-by field is present. Because count() doesn't do a distinct count in Splunk. Must be the dc() function instead.
 2018-11-23 15:04:08 +01:00
Thomas Patzke
aa1a953a65 Moved node dumping code to generic location 2018-11-21 23:22:38 +01:00
Thomas Patzke
26d888aec3 Removed "not null" handling code 
Feature was removed some time ago.
 2018-11-21 22:56:48 +01:00
Thomas Patzke
9e28669c33 Backend es-qs return quotes on empty or whitespace-only string 2018-11-21 22:29:12 +01:00
Thomas Patzke
49d464f979 Fixed wildcards in es-qs backend 2018-11-20 23:23:54 +01:00
Thomas Patzke
396a030ed1 Removed duplicate code 2018-11-07 22:52:12 +01:00
Thomas Patzke
116a0e9f03 Merge branch 'master' of https://github.com/tuckner/sigma into tuckner-master 2018-11-07 22:27:41 +01:00
Thomas Patzke
5053cc4e95 Fixed optimizing of not conditions with subexpressions 
Optimization pass traversal is cut at ConditionNOT nodes.
 2018-11-07 13:54:45 +01:00
Thomas Patzke
a88b1e81ec Optimizer debugging code cleanup 
* Removed commented debugging code
* Output to stdin
* Coverage exception for _dumpNode
 2018-11-07 13:49:08 +01:00
Thomas Patzke
42ed8acec9 Improved test coverage 
* Adding tests
* Removal of coverage measurement for debugging code
 2018-11-04 23:28:40 +01:00
Thomas Patzke
418f8d10a3 Wrap conditions generated by mappings into sub-expression 2018-11-04 23:00:04 +01:00
Thomas Patzke
0e4842962b Added tests 2018-11-04 22:16:20 +01:00
tuckner
ca6ba4a85b Added NetWitness backend and tests 2018-10-31 14:24:14 -05:00
tuckner
26f73d60fa Added NetWitness backend and tests 2018-10-31 14:07:59 -05:00
Thomas Patzke
eacfaa7460 Check for forbidden null values in list items in Splunk backend 2018-10-27 01:07:03 +02:00
Thomas Patzke
423a73efd5 Dropped .py suffix 2018-10-22 23:02:05 +02:00
Thomas Patzke
b2d6d73034 Added requirements 2018-10-22 22:43:59 +02:00
Thomas Patzke
16e3838a90 Renamed script 2018-10-19 21:23:33 +02:00
Thomas Patzke
6b14930302 Recursive path traversal 2018-10-19 21:21:33 +02:00
Thomas Patzke
67b416379f Improved import of multiple rules 2018-10-19 19:53:00 +02:00
Thomas Patzke
0cc8b77307 Merge branch 'master' of https://github.com/pivotforensics/sigma into pivotforensics-master 2018-10-18 15:56:26 +02:00
ntim
e501c4a5b9 Added additional output type 'json' to the xpack-watcher backend which prints each watcher as compress json, one watcher per line 2018-10-17 10:38:56 +02:00