valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 18:23:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,409 Commits 20 Branches 25 Tags 21 MiB
c9b5ba10f8
Commit Graph

790 Commits

Author SHA1 Message Date
Thomas Patzke
3277cec7aa Reverted list sorting 
This was already implemented meanwhile in a previous commit.
 2020-04-08 23:23:44 +02:00
Thomas Patzke
cf896c3093 Merge branch 'master' of https://github.com/abhikhnvasara/sigma into pr-630 2020-04-08 23:16:39 +02:00
Thomas Patzke
551a94af04 Merge branch 'master' of https://github.com/tileo/sigma into pr-658 2020-04-08 22:43:48 +02:00
Thomas Patzke
7224af54b2
Merge pull request #664 from j91321/es-rule-options 
es-rule backend options for index-patterns and time interval
 2020-04-08 22:39:45 +02:00
Thomas Patzke
1b7f33f5e2 Fixed undefined value in exception handling 
Fixes issue #702.
 2020-04-08 22:28:47 +02:00
j91321
3470011ac3 Revert time interval, use index values provided by sigmaparser 2020-04-05 20:30:57 +02:00
Thomas Patzke
693830fa83 Merge pull request 659 2020-04-03 23:46:53 +02:00
Maxime Lamothe-Brassard
f92c5e9b18 Remove generation of LC rules with timeframe. 2020-04-02 15:25:30 -07:00
Florian Roth
ee7babd8cb
fix: security vulnerability with pyyaml < 4.2b1 2020-04-02 12:27:53 +02:00
Thomas Patzke
13dbb4cdbd Moved tools into sigma namespace 2020-03-31 23:46:58 +02:00
Florian Roth
6aba430de6 fix: sigma_uuid occurances 2020-03-31 16:29:58 +02:00
Florian Roth
4d67dff89a fix: renamed tools to allow for console_scripts list entries 2020-03-31 14:07:34 +02:00
Florian Roth
18e505c458 fix: list_configurations default values 2020-03-31 12:42:02 +02:00
Florian Roth
c82156a3c9 fix: second list_configurations function params 2020-03-31 11:46:05 +02:00
Florian Roth
23ce69eaae fix: functions parameters outside of main 2020-03-31 11:42:16 +02:00
Florian Roth
bb50571b13 fix: print_verbose scope 2020-03-31 11:35:21 +02:00
Florian Roth
c83b4fd37c fix: fixing script install for Windows end systems 2020-03-31 11:30:47 +02:00
Florian Roth
536ad78fc2 refactor: following best practices reg main functions in Python 
https://realpython.com/python-main-function/
 2020-03-31 11:30:14 +02:00
Thomas Patzke
d33f4b290d Dependency cleanup 
* Consolidated dependencies into main and development (MISP and test
  intergrated).
* Splitted Pipfile dependencies into main and development
* Specified compatible dependencies
 2020-03-29 22:55:09 +02:00
Florian Roth
5f0250bff5
Merge pull request #669 from 0xThiebaut/winlogbeat-rulename 
Add Winlogbeat's RuleName field to mapping
 2020-03-28 13:20:08 +01:00
Thomas Patzke
004eaf0615 Revert "do not escape u" 
This reverts commit aa112cbd44.

This was a fix for a previous bug.
 2020-03-24 23:36:12 +01:00
Thomas Patzke
5ea623506f
Merge pull request #667 from opflep/master 
Upgrade CarbonBlack backend
 2020-03-22 00:24:57 +01:00
Maxime Thiebaut
c5bdd18d8d Add Winlogbeat's RuleName field to mapping 
When Sysmon logs a "RegistryEvent" event of ID 13, the event might contain a field named "RuleName" as shown in the following excerpt.

```xml
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
	<Event
		xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
		<System>
			<Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/>
			<EventID>13</EventID>
			<Version>2</Version>
			<Level>4</Level>
			<Task>13</Task>
			<Opcode>0</Opcode>
			<Keywords>0x8000000000000000</Keywords>
			<TimeCreated SystemTime='2020-03-18T03:52:07.173448000Z'/>
			<EventRecordID>160631</EventRecordID>
			<Correlation/>
			<Execution ProcessID='2156' ThreadID='3628'/>
			<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
			<Computer>win10.sec699-40.lab</Computer>
			<Security UserID='S-1-5-18'/>
		</System>
		<EventData>
			<Data Name='RuleName'>Context,ProtectedModeExitOrMacrosUsed</Data>
			<Data Name='EventType'>SetValue</Data>
			<Data Name='UtcTime'>2020-03-18 03:52:07.129</Data>
			<Data Name='ProcessGuid'>{36aa6401-9acb-5e71-0000-0010e3ed6803}</Data>
			<Data Name='ProcessId'>5064</Data>
			<Data Name='Image'>C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE</Data>
			<Data Name='TargetObject'>HKU\S-1-5-21-1850752718-2055233276-2633568556-1126\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Documents/sec699.docm</Data>
			<Data Name='Details'>Binary Data</Data>
		</EventData>
	</Event>
</Events>
```

When used in combination with Elastic's Winlogbeat, the resulting field is named `winlog.event_data.RuleName`.
This commit introduces a mapping between the Sigma `RuleName` field (pre-existing in the `arcsight.yml` config) and Elastic's `winlog.event_data.RuleName`.

The presence of this field could be leveraged to build Sigma rules detecting events such as the above where a malicious macro was executed.
 2020-03-19 19:40:18 +01:00
vunx2
be6519e35d merge 2020-03-19 11:07:39 +07:00
vunx2
1025930e04 merge 2020-03-19 11:05:52 +07:00
vunx2
c627f6b381 merge 2020-03-19 11:02:10 +07:00
vunx2
2107d86900 merge 2020-03-19 10:58:30 +07:00
vunx2
0356178c50 eventdict 2020-03-19 10:49:40 +07:00
vunx2
1b12a6b261 modified: tools/sigma/backends/carbonblack.py 2020-03-19 09:00:24 +07:00
neu5ron
aa112cbd44 do not escape u 2020-03-18 08:51:38 -04:00
neu5ron
17318b48bf - fix agg_option keyword 
- remove (now) unnecessary other hardcoded `.keyword` locations
 2020-03-18 08:50:37 -04:00
vunx2
e228d42b97 clean IP subnet 2020-03-18 16:49:44 +07:00
vunx2
1df5620a14 fix cleanValue + leading wildcard + EventID Intergration 2020-03-18 16:02:44 +07:00
j91321
f0c83ae3b4 Added es-rule backend options 2020-03-15 13:03:20 +01:00
neu5ron
58ac26e531 more ECS to sigmac taxonomy for web/proxy 2020-03-14 14:57:38 -04:00
neu5ron
55bf39a2ac keyword, analyzed field, case insensitivity 2020-03-11 11:38:56 -04:00
David Szili
0947538228 MDATP schema changes 
WDATP was renamed to MDATP (Microsoft Defendre ATP).
MDATP also had schema changes recently: https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914
The updates reflect these changes
 2020-03-09 17:12:41 +01:00
Abhijit Khinvasara
46bc843e51 sort the list of backends presented in sigmac help 2020-03-04 15:21:28 -08:00
Abhijit Khinvasara
9cb395823c Rework according to review comments. 2020-03-04 14:54:49 -08:00
vunx2
b070ffab74 Merge branch 'master' of https://github.com/Neo23x0/sigma 2020-03-03 10:08:31 +07:00
Thomas Patzke
a0f7da8c03 Splunk XML backend rule title 
Fixes #645
 2020-03-01 22:23:35 +01:00
vunx2
58f5fa1b8e change to github 2020-02-28 16:56:48 +07:00
vunx2
139600009b conflict 2020-02-28 16:50:30 +07:00
Thomas Patzke
65444f7a77 Release 0.16.0 2020-02-25 22:19:52 +01:00
Thomas Patzke
5a2ccbd040 Fixed ArcSight backend visibility 2020-02-24 23:27:22 +01:00
Thomas Patzke
5b42135935 Added es-rule backend to all ES configurations 2020-02-24 23:20:48 +01:00
Thomas Patzke
d9b48ea747 Fixes in es-rule backend 2020-02-24 23:20:19 +01:00
Thomas Patzke
4ee2c2762e Sorting of backend and configuration lists 2020-02-24 22:59:59 +01:00
vh
5dc30bd388 Carbonblack, Arcsight ESM, Elastic Rule 2020-02-24 19:29:45 +02:00
vh
516e61fdb0 t 2020-02-24 19:23:11 +02:00
Abhijit Khinvasara
8ad346362c remove print statements. 2020-02-22 20:59:56 -08:00
Abhijit Khinvasara
612df1666b add LOGIQ backend. 2020-02-22 20:50:30 -08:00
Thomas Patzke
12be884aa5 Merge branch 'sql-backend' 2020-02-21 22:41:53 +01:00
Thomas Patzke
776b58b594 Improved Splunk Zeek configuration 2020-02-21 22:31:14 +01:00
Thomas Patzke
746f957a63 Merge branch 'patch-1' of https://github.com/fuseyjz/sigma into fuseyjz-patch-1 2020-02-21 22:24:44 +01:00
Thomas Patzke
3047571132
Merge pull request #625 from ninoseki/fix-sigma2misp 
Update sigma2misp
 2020-02-21 22:22:54 +01:00
Thomas Patzke
48d95f027c Merge branch 'oscd' 2020-02-20 23:11:57 +01:00
Manabu Niseki
c6eb3bfbf2 Update sigma2misp 
Make enable to use with modern PyMISP
 2020-02-20 18:55:10 +09:00
james dickenson
1347e5060f logsource config for zeek events in splunk 2020-02-12 21:24:03 -08:00
vunx2
d0e9af171f cleanIPRange 2020-02-06 17:20:52 +07:00
vunx2
627f46abc2 backslash fix 2020-02-06 16:28:27 +07:00
vunx2
bc4c6ce8db cleanValue 2020-02-06 11:02:22 +07:00
vunx2
19d9e4856e clean Value + config 2020-02-05 17:47:35 +07:00
vunx2
579e7481c7 cleanValue + eventID list 2020-02-04 18:14:40 +07:00
Thomas Patzke
d7bd90cb24 Merge branch 'master' into oscd 2020-02-03 23:13:16 +01:00
Thomas Patzke
1bc2c0b930 Deduplication of backend list 
Fixes issue #609. Added backend list debug output (class name).
 2020-02-03 22:16:00 +01:00
vunx2
2930df17d6 update sigma 2020-02-03 09:47:06 +07:00
Thomas Patzke
815c562a17 Merge branch 'master' into oscd 2020-02-02 13:40:08 +01:00
vh
dc5a31aebc Updated Azure Sentinel backend 2020-01-31 17:17:24 +02:00
Thomas Patzke
7b4ec734a8 Using rule ids as Kibana object id 2020-01-30 11:30:01 +01:00
Thomas Patzke
7b62b931ce Moved ala-rule backend code into ala backend module 2020-01-13 11:24:46 +01:00
Thomas Patzke
de690cbfbf Merge branch 'master' of https://github.com/socprime/sigma into socprime-master 2020-01-13 11:19:39 +01:00
neu5ron
d8b703462d fix name of network_initiated 2020-01-13 00:12:04 -05:00
Thomas Patzke
8d6a507ec4 OSCD QA wave 1 
* Checked all rules against Mordor and EVTX samples datasets
* Added field names
* Some severity adjustments
* Fixes
 2020-01-11 00:11:27 +01:00
Maxime Lamothe-Brassard
a3ad7cb1c5 Fixed actual event tag 2019-12-30 18:15:12 -08:00
Maxime Lamothe-Brassard
9b32086d92 Mapping OriginalFileName to event/INTERNAL_NAME now that it's available. 2019-12-30 15:58:18 -08:00
SOC Prime
92bc96a308
Update ala-rule.py 2019-12-30 16:26:30 +02:00
vh
f2117f798a Fix ala-rule 2019-12-30 16:24:08 +02:00
SOC Prime
f015c97dff
Update ala-rule.py 2019-12-30 16:13:27 +02:00
vh
f9570a48cb Azure Sentinel backend (ala) - Fixed path in query 
Added new backend Azure Sentinel Rule (ala-rule)
 2019-12-30 16:11:53 +02:00
vh
d42409372c Azure Sentinel backend (ala) - Fixed path in query 
Added new backend Azure Sentinel Rule (ala-rule)
 2019-12-30 16:09:19 +02:00
fuseyjz
0b2f88d5df
Sigma converter for SQL format 
Get the converted SQL query after the WHERE statement for any filtering on SQL platform.

Example:
https://github.com/fuseyjz/sigma-sql/blob/master/README.md
 2019-12-24 10:42:25 +08:00
christophetd
e99b0fe2d7 Add sigma2attack 2019-12-19 00:00:13 +01:00
Thomas Patzke
d2a940a0a6 Merge branch 'devel' of https://github.com/Neo23x0/sigma 2019-12-13 22:01:40 +01:00
Thomas Patzke
ee4138c48e
Merge pull request #526 from zouzias/hotfix_aggregate_count_distinct_groupby 
[feature] extend es-dsl to support nested aggregations
 2019-12-13 21:55:47 +01:00
Thomas Patzke
a25b2ec361
Merge pull request #523 from refractionPOINT/lc-added-mtd 
LC added FP metadata
 2019-12-13 21:50:52 +01:00
Thomas Patzke
b701e9be50 Added ECS proxy configuration 2019-12-09 16:34:07 +01:00
Thomas Patzke
991108e64d Further proxy field name fixes (config + rules) 2019-12-07 00:23:30 +01:00
Thomas Patzke
51e9689425 Sigmatool release 0.15.0 2019-12-06 22:13:44 +01:00
Maxime Lamothe-Brassard
27bb07b74e Adding support for basic proxy rules using the HTTP_REQUEST events from the Chrome LC Agent. 2019-12-05 09:35:09 -08:00
Lep
60997b47b2 moreEventID 2019-11-28 21:34:52 +07:00
Lep
412dfc4f05 Merge branch 'master' of http://git.security.fis.vn/VuNX2/sigma 2019-11-28 17:38:57 +07:00
Lep
738008b52b requiment 2019-11-28 17:38:05 +07:00
Nguyen Xuan Vu
042d078ee1 Update requirements.txt 2019-11-28 05:26:09 -05:00
Lep
158ffd2f0c requiment 2019-11-28 17:23:05 +07:00
Lep
37257170dd postAPI 2019-11-28 16:01:24 +07:00
Lep
d08ff35222 postAPI 2019-11-28 11:45:49 +07:00
Maxime Lamothe-Brassard
61bcc46394 Prettier formatting of YAML. 2019-11-18 14:50:41 -05:00
Maxime Lamothe-Brassard
9eed57ee1d Adding the "falsepositives" field to the LC metadata. 2019-11-15 08:30:41 -05:00
Anastasios Zouzias
3c7f522017 add .keyword on aggs; add extra unit test 2019-11-14 14:34:50 +01:00
Thomas Patzke
cf22e9e576 Added hint on failed UUID check 2019-11-12 23:37:28 +01:00
Thomas Patzke
ca53e937d9 Removed sigma.output from setup packages 2019-11-12 23:11:39 +01:00
Thomas Patzke
3828f4a95c Merge branch 'uuid' into assign-ids 2019-11-12 22:46:54 +01:00
Thomas Patzke
0065e2420f Merge branch 'oscd-qa' 2019-11-12 20:54:11 +01:00
Anastasios Zouzias
e7ed0fa9ea added unit test 2019-11-12 14:06:10 +01:00
Anastasios Zouzias
324005a126 [feature] extend es-dsl to support nested aggregations 2019-11-12 11:46:43 +01:00
Thomas Patzke
6d62d426c9 Added sigma-uuid tool 
* Moved SigmaYAMLDumper to new sigma.output module
 2019-11-11 23:35:16 +01:00
Florian Roth
e2628d6df6 fix: wrong mapping on thor.cfg 2019-11-11 09:20:20 +01:00
Thomas Patzke
feb836cbf2 Sigmatools release 0.14 2019-11-10 00:09:59 +01:00
Florian Roth
faeccf0c3d Merge branch 'master' into devel 2019-11-09 22:42:16 +01:00
Florian Roth
a0beda240c fix: fixed wrong field mapping in windows-audit source config 2019-11-09 22:42:00 +01:00
Thomas Patzke
2222550b6e Allow ignore of type errors with sigmac -I 2019-11-08 23:56:39 +01:00
Thomas Patzke
8f1974d7d3 Added regular expression support in es-dsl backend 2019-11-08 23:56:39 +01:00
Thomas Patzke
465e41bfbb Added regular expression support in es-dsl backend 2019-11-08 22:31:02 +01:00
Thomas Patzke
5d995ad704 sigma-similarity: primary rule set for restriction of comparison 2019-11-08 21:15:13 +01:00
Thomas Patzke
ef14ee542d Added modifiers: startswith and endswith 2019-11-05 23:04:13 +01:00
Maxime Lamothe-Brassard
1b9054c1f3 Adding some comments 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
b7018bcd4a Adding a post-mapper mechanism to fix some common issues in Sigma rules to LC. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
c2e621cf08 Fixing another edge case with string escape. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
0c6b9e532b Remove debugging statement 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
6f2f1d2bd7 Add ability to map fields and values based on callbacks. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
0b9a3f3a08 Refactor to better support keyword fields. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
9aedb8f764 Adding another exception case to get more "contains" shortcuts instead of REs. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
102ab3081b Fix the convertion from simple wildcard strings to a full regular expression so that it is always correct. The previous solution just mostly-worked. 2019-11-05 08:39:24 -05:00
Maxime Lamothe-Brassard
e52f29dda9 Fix matches operator field set to value instead of re. 2019-11-05 08:38:06 -05:00
Thomas Patzke
54c75167ce Default configurations for backends 2019-11-03 23:32:50 +01:00
Thomas Patzke
4f19ef5708 Graylog backend now derived from es-qs 
Technically, Graylog is ES. Fixes and improvements for ES didn't
propagate to Graylog, now they do.
 2019-11-02 22:56:01 +01:00
Thomas Patzke
8af2b70594 Restrict search not bound to fields to keyword fields 2019-11-02 22:55:04 +01:00
Thomas Patzke
c9eb921f68 ConditionAND/OR constructor now allows arbeitrary number of operands 2019-11-02 22:54:35 +01:00
Thomas Patzke
2eeccf48e0 Removed line breaks in Elastalert YAML output 
Fixes #453
 2019-10-29 22:45:37 +01:00
Maxime Lamothe-Brassard
f6fb9c7f5f Fixing typo in response metadata. 2019-10-28 11:31:50 -05:00
Maxime Lamothe-Brassard
2873e1ded3 Small refactors to make more readable and remove deprecated code paths to increase coverage. 2019-10-28 10:49:05 -05:00
Maxime Lamothe-Brassard
a7003c2aa3 Adding support for "unix", looking like a mistake by the creator. 2019-10-27 15:55:12 -05:00
Maxime Lamothe-Brassard
d019cef439 Ading a bit more of early support for netflow and some linux exe. 2019-10-27 15:48:28 -05:00
Maxime Lamothe-Brassard
a57a7b58cf Added conceptial support for aliasing keyworkds to a specific field depending on the log source. 2019-10-27 15:28:54 -05:00
Maxime Lamothe-Brassard
60b20a76a6 Fixing handling of unsupported sources. 2019-10-27 12:37:06 -05:00
Maxime Lamothe-Brassard
0fe72d6133 Emit error on full-text searches not being supported. 2019-10-27 12:26:36 -05:00
Maxime Lamothe-Brassard
f43300af8e Fix the top level pre-condition for Windows Event Logs on LC. 2019-10-27 12:17:15 -05:00
Maxime Lamothe-Brassard
91e48d8c1b Adding setup links and fixing test that would crash Not node, but not seen in prod rules. 2019-10-27 11:56:32 -05:00
Maxime Lamothe-Brassard
8d866b0868 Adding comments. 2019-10-26 17:37:13 -05:00
Maxime Lamothe-Brassard
bc5e9bd03a Making rule output a full D&R (with the Response component) and includes a lot of metadata from the rule in the report. 2019-10-26 17:30:40 -05:00
Maxime Lamothe-Brassard
8cc3990aef Extending support for more random rules with odd names. 2019-10-26 16:59:33 -05:00
Maxime Lamothe-Brassard
4d65b62063 Adding support for generating rules for Windows builtin category for use in the External Logs of LC. 2019-10-26 16:30:50 -05:00
Maxime Lamothe-Brassard
30cc7ee809 Refactor mappings into a flat structure to account for missing parameters in some combinations. 2019-10-26 16:09:39 -05:00
Maxime Lamothe-Brassard
77329714c5 Adding service to indirection of mappings since it will be used for Windows Event Logs. 2019-10-26 16:06:42 -05:00
Maxime Lamothe-Brassard
823d86c7d9 Remove unimplemented config entries and fix bug with valueNode. 2019-10-26 15:54:08 -05:00
Maxime Lamothe-Brassard
bba43c7a86 First draft of support for LimaCharlie D&R rules. 2019-10-26 15:45:48 -05:00
Thomas Patzke
30948b9c1a Added sigma-similarity tool 
Fixed also bug in backend base class that was triggered by the way
backends are used by this tool.
 2019-10-25 21:59:03 +02:00
gsanm
150afd816d IP Clean 2019-10-22 17:49:50 +07:00
Thomas Patzke
8a545b973b Sigmatools release 0.13 2019-10-21 11:58:26 +02:00
lep
1c5816b214 update carbonblack module 2019-10-18 17:51:31 +07:00
lep
7219e0b0f1 module carbonblack 2019-10-18 14:04:38 +07:00
Thomas Patzke
fc276612b6 Added encoding modifiers 2019-10-16 23:52:06 +02:00
Steven Goossens
6a1a96a918 Implement mapping when selecting the fields for the AQL query. This was not being done correctly 2019-10-16 16:37:09 +02:00
Steven Goossens
2837d3ba74 Added the cleanValue function for Qradar 2019-10-16 10:27:24 +02:00
Thomas Patzke
849a5a520d Conditional field mapping resolve_fieldname now functional 
Before this method just had some placeholder function that wasn't really
implementing the intended functionality of the conditional field
mapping. Now aggregations get also conditional field mapping
functionality.
 2019-10-09 23:57:41 +02:00
Thomas Patzke
95c8d25858 Improved --backend-config help text 2019-10-07 22:30:57 +02:00
neu5ron
a729cc7905 create winlogbeat config/taxonomy specific to elastic enabled winlogbeat modules such as the one for sysmon](https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/security/config/winlogbeat-security.js) sigmac conversion 2019-10-01 10:16:42 -04:00
neu5ron
f7fd936433 update HELK config taxonomy/mapping for sigmac conversion 2019-10-01 10:14:54 -04:00
Thomas Patzke
d4f89ebc1c Aggregation on keyword field in es-dsl backend 
* Fixes #452
* Further fixed reference to count in restriction of results
 2019-09-29 23:18:17 +02:00
Florian Roth
3d333290a9
Merge pull request #445 from EccoTheFlintstone/localadmin 
rule: user added to local administrator: handle non english systems b…
 2019-09-25 17:29:41 +02:00
Thomas Patzke
19f431b6d2 Changed xpack-watcher dateField default to previous value 2019-09-12 00:19:58 +02:00
ecco
4c5eab88b6 add GroupSid to other configs 2019-09-11 04:53:30 -04:00
herrBez
8f612f743c Use config dateField in xpack watcher to determine 
datefield name as in elasticsearch dsl backend
 2019-09-11 09:38:03 +02:00
ecco
5ae46ac56d rule: user added to local administrator: handle non english systems by using group sid instead of name 2019-09-06 06:21:42 -04:00
Thomas Patzke
c80cb418cd Improved QRadar regular expression support 2019-09-05 15:35:26 +02:00
Thomas Patzke
30b6db8299 Fixed ES backend keyword field mapping wildcard match pattern 2019-09-05 12:55:10 +02:00
Thomas Patzke
3b1cbe529e Elasticsearch keyword field name blacklisting with wildcards 2019-09-05 12:38:32 +02:00
Thomas Patzke
2a60c71b9d
Merge pull request #437 from svent/qradar_regex_modifier 
QRadar backend: add support for re type modifiers
 2019-09-05 10:30:18 +02:00
Thomas Patzke
de5e2045f0
Merge pull request #428 from stevengoossensB/master 
AQL field selection from signatures
 2019-09-05 10:28:02 +02:00
Thomas Patzke
37e179b6a7
Merge pull request #390 from juju4/devel-sumo2 
sumologic backend: fix index and full mapping coverage
 2019-09-05 10:27:19 +02:00
svent
467c8f694c QRadar backend: add support for re type modifiers 2019-09-03 22:55:48 +02:00
Steven Goossens
cb088e4911 Remove quotes from around the fields to make the query semantically correct 2019-08-26 12:43:26 +00:00
Steven Goossens
ad19f05e2c Include mapped names rather then signature names 2019-08-26 12:06:20 +00:00
Steven Goossens
37caccd52e Includes the trial condition so generic query is generated whenever the fields are not defined 2019-08-26 11:48:40 +00:00
Steven Goossens
895682aef2 Implementing the fields to be selected 2019-08-26 10:57:43 +00:00
agold
0984293d0c Support for Malicious cmdlets in ATP 2019-08-20 14:33:08 -07:00
svent
1ea6d00a39 Fix QRadar field name escaping and handling 2019-08-12 23:47:43 +02:00
svent
826c1e3942 Fix QRadar backend config 2019-08-12 23:47:43 +02:00
Michiel Meersmans
0708fdd28e Correctly escape slashes within es-dsl wildcard queries 2019-08-07 12:56:19 +02:00
Florian Roth
9c85d5e80f
Merge pull request #406 from tuckner/master 
Fix ala parsing issues
 2019-08-06 10:28:07 +02:00
Thomas Patzke
940c36a4cd Fixed build 
Missing package specification
 2019-08-05 23:42:33 +02:00
Thomas Patzke
d5885686fc Sigmatools release 0.12 
* Value modifiers
* Config name cleanup
 2019-08-01 23:45:07 +02:00
Thomas Patzke
805c739611 Merge branch 'devel-modifiers' 2019-07-31 23:44:10 +02:00
Thomas Patzke
31c6ffcb61 No escaping for typed values 2019-07-31 23:43:29 +02:00
tuckner
8f2f1922c6
Merge pull request #1 from Neo23x0/master 
update fork
 2019-07-27 21:27:52 -05:00
Thomas Patzke
8a3117d73e Nested list handling for chained value modifiers 2019-07-16 23:03:19 +02:00
Thomas Patzke
6881967889 Further modifiers 
* base64
* base64offset
 2019-07-16 00:00:35 +02:00
Thomas Patzke
1bb29dca26 Implemented type modifiers and regular expressions 2019-07-15 22:52:10 +02:00
Thomas Patzke
b9ff280209 Cleanup of configuration names 2019-07-14 00:50:15 +02:00
Thomas Patzke
5489f870cc
Merge pull request #393 from HacknowledgeCH/master 
Explicit OR for list elements
 2019-07-13 23:11:44 +02:00
Thomas Patzke
134bfebe57 Ignore "timeframe" detection keyword in "all/any of" conditions 
Fixes #395
 2019-07-13 00:35:35 +02:00
christophetd
576912eb7a Support OR queries for Elasticsearch 6 and above 2019-07-08 17:12:53 +02:00
juju4
10290beb54 config/sumologic: more index mappings 2019-07-06 12:42:12 -04:00
juju4
7b0cace217 config/sumologic: more index mappings 2019-07-06 12:42:05 -04:00
juju4
2b5a77db53 add sumologic _sourceCategory and _view in aFL 2019-07-06 12:41:56 -04:00
juju4
b358d38e68 _index in aFL and mappings working! 2019-07-06 12:41:40 -04:00
Florian Roth
f7ba2b3976 fix: bug in sumologic backend with 'null' values 2019-07-02 22:31:10 +02:00
Thomas Patzke
337681cfce Value modifiers 
* First transformation modfiers: contains, all
* Sigma converter modifier list
 2019-06-30 23:41:28 +02:00
Thomas Patzke
161965d14c Added version information to Winlogbeat configs 2019-06-30 22:44:12 +02:00