Commit Graph

235 Commits

Author SHA1 Message Date
James Dickenson
9a61f40cef added support flor flow data in qradar backend 2018-08-16 21:44:17 -07:00
Thomas Patzke
320bb9f8c4 Added rewrite config to generic sysmon configuration 2018-08-14 21:34:54 +02:00
Thomas Patzke
430972231f Added generic sysmon configuration with process_execution config 2018-08-14 21:34:54 +02:00
nikotin
b5f27d75be Added Qradar backend 2018-07-17 15:25:06 +03:00
Florian Roth
2a74a62c67 Config file for SPARK scanner 2018-06-29 16:42:16 +02:00
Florian Roth
7edd95744a Windows NTLM 2018-06-13 00:08:46 +02:00
nikotin
d13e8d7bd3 Added ArcSight & Qualys backends 2018-06-07 16:18:23 +03:00
Florian Roth
65cc78f9e8 Windows Config Update - DNS logs 2018-05-22 16:59:58 +02:00
Thomas Patzke
17c1c1adff Added field name mappings to HELK configuration 2018-03-27 14:41:02 +02:00
Thomas Patzke
a3e02ea70f Various rule fixes
* Field name: LogonProcess -> LogonProcessName
* Field name: Message -> AuditPolicyChanges
* Field name: ProcessCommandLine -> CommandLine
* Removed Type match in Kerberos RC4 encryption rule
  Problematic because text representation not unified and audit failures are possibly interesting events
* Removed field 'Severity' from rules (Redundant)
* Rule decomposition of win_susp_failed_logons_single_source) because of different field names
* Field name: SubjectAccountName -> SubjectUserName
* Field name: TargetProcess -> TargetImage
* Field name: TicketEncryption -> TicketEncryptionType
* Field name: TargetFileName -> TargetFilename
2018-03-27 14:35:49 +02:00
Thomas Patzke
e162ba0155 Added HELK configuration 2018-03-16 23:42:31 +01:00
Thomas Patzke
f478cffb41 Added default index configs for usual ELK setups
* Added test case for defaultindex with kibana backend
2017-11-09 10:05:41 +01:00
Florian Roth
1bea284280 Added Windows Driver Framework log source to configs 2017-11-09 08:42:58 +01:00
Florian Roth
e83e3a0c07 Bugfixes in Splunk config 2017-11-09 08:41:07 +01:00
Thomas Patzke
3389656a5b Added ELK default index config 2017-10-23 00:45:33 +02:00
Thomas Patzke
cb9aeac7d9 Added default index handling
* Removed default index handling from backend code
* Added default indices to config templates
2017-10-23 00:08:39 +02:00
Thomas Patzke
54cf9af0c9 Removed ELK Sysmon config
It's contained in ELK Windows config
2017-10-18 15:23:55 +02:00
Thomas Patzke
545e05370f Added first config for logstash-linux project
URL: https://github.com/thomaspatzke/logstash-linux
2017-09-17 00:36:04 +02:00
Florian Roth
edf2787402 Removed some spaces and added Win 10 WMI eventlog 2017-08-22 10:04:56 +02:00
Thomas Patzke
998bb0079d Fixed Splunk config for sigmac again 2017-05-26 22:40:06 +02:00
Thomas Patzke
18a9fd18ef Fixed Splunk configuration
Substituted source: with sourcetype:
2017-05-26 00:13:30 +02:00
Florian Roth
f66085b198 Added eventlog source DNS Server to configs 2017-05-08 13:09:17 +02:00
Ben de Haan
dddb83393d Added field mappings for events with logins 2017-03-30 10:49:36 +02:00
Ben de Haan
cb9a9bc2ff Added LogPoint conditional username mapping
Conditional mapping of SubjectAccountName based on EventID. Not a comprehensive list, but should include most relevant Event IDs.
2017-03-30 09:51:32 +02:00
Thomas Patzke
9698e8fdf7 Changed Logpoint SubjectAccountName mapping to conditional mapping 2017-03-25 00:27:29 +01:00
Thomas Patzke
a4465ce844 Added 1:n field mapping
MultiFieldMapping
2017-03-24 00:58:11 +01:00
Florian Roth
7e180365ab PowerShell Classic Log in Splunk Config Example 2017-03-22 11:17:46 +01:00
Ben de Haan
c3c405a95e LogPoint windows mapping 2017-03-20 16:57:19 +01:00
Florian Roth
f292a259a5 Adjusted Windows Splunk Config 2017-03-18 13:12:31 +01:00
Thomas Patzke
17c484163d Improved examples 2017-03-18 00:03:21 +01:00
Thomas Patzke
b4f52d9cfb Windows index in Splunk example configuration 2017-03-17 23:30:11 +01:00
Florian Roth
dc00baacda Splunk Windows Configuration Example 2017-03-17 10:00:56 +01:00
Thomas Patzke
d2a9a91175 Log source conditions are integrated in generated expressions
Indices not yet included
2017-03-14 23:22:32 +01:00
Thomas Patzke
52d7e9fc07 Parsing log sources in configuration files 2017-03-12 23:12:21 +01:00
Florian Roth
b93379a6a9 Config example: sysmon / logstash index 2017-03-07 10:09:43 +01:00