SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00

Author	SHA1	Message	Date
$frack113$ frack113	e76f30d59c	Add some missing fields mapping	2021-07-06 15:56:33 +02:00
Florian Roth	400fae4dba	Merge pull request #1609 from cianmcgovern/graylog-fix Escape spaces in graylog backend	2021-07-04 14:20:07 +02:00
$frack113$ frack113	8fd81acee4	Change getRuleName() to get 'id-title' instead of ('id' or 'title')	2021-07-04 11:56:59 +02:00
Cian Mc Govern	7fca08e5bd	Escape spaces in graylog backend	2021-07-02 21:56:08 +01:00
Florian Roth	06ab553d25	Merge pull request #1604 from SigmaHQ/rule-devel Config: Splunk fix log sources prefix, THOR PS classic	2021-07-02 15:39:22 +02:00
Florian Roth	ba94b8396c	config: thor - powershell classic	2021-07-02 14:14:48 +02:00
Florian Roth	03e2b9d376	fix: missing "WinEventLog:" in splunk-windows.yml	2021-07-02 14:13:12 +02:00
Florian Roth	825ff5520b	Merge pull request #1597 from SigmaHQ/rule-devel config: add PrintService Operational	2021-07-01 10:27:43 +02:00
Florian Roth	63f3fd7e73	config: add PrintService Operational	2021-07-01 09:55:15 +02:00
Florian Roth	19962c6fe4	Merge pull request #1590 from SigmaHQ/rule-devel config: mappings for Microsoft print service	2021-06-30 14:50:52 +02:00
Florian Roth	a49bfb14dd	refactor: Admin log - not Operational	2021-06-30 14:22:40 +02:00
Florian Roth	26cfbb9c34	config: mapping for Microsoft SMBClient service - security	2021-06-30 14:16:26 +02:00
Florian Roth	8262a1d98b	config: mappings for Microsoft print service	2021-06-30 14:09:44 +02:00
Florian Roth	abe353de66	Merge pull request #1561 from frack113/es_rule_add_more_tag add multi custom tag for issue #1560	2021-06-25 12:25:28 +02:00
Florian Roth	2ad6401487	Merge pull request #1565 from SpeedyFireCyclone/powershell_fieldmappings Generic remapping for PowerShell backend	2021-06-25 12:21:00 +02:00
Florian Roth	537d89d185	Merge pull request #1575 from SigmaHQ/rule-devel rules: PurpleSharp, WMIC ActiveScriptEventConsumer	2021-06-25 12:15:35 +02:00
eocete	bfbd1c6487	Merge remote-tracking branch 'upstream/master' into master	2021-06-21 14:11:39 +02:00
eocete	4b92dbb90d	master: Added new Devo backend for the sigmac tool. Added three new backend configurations to support the Devo backend. Added a new test suite to cover the Devo backend cases.	2021-06-21 14:06:04 +02:00
Remco Hofman	a18c3952d9	More generic remapping for PowerShell backend	2021-06-20 07:58:01 +02:00
$frack113$ frack113	1f2c93a4e7	add multi custom tag for issue #1560	2021-06-17 08:05:44 +02:00
Florian Roth	ae06ebcae0	Merge pull request #1551 from xg5-simon/xg5-simon Support for VMware Carbon Black Cloud EEDR	2021-06-10 18:35:16 +02:00
Florian Roth	bf40b64f91	docs: better title in crowdstrike config	2021-06-10 17:07:01 +02:00
Florian Roth	cd2792f82c	Merge pull request #1547 from frack113/new_filter_condition Add New filter condition	2021-06-10 14:42:44 +02:00
Simon	1d081e300d	Support for VMware Carbon Black Cloud EEDR Add support for VMware Carbon Black Cloud EEDR. Field mappings derived from https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/process-search-fields/	2021-06-10 21:45:29 +10:00
Florian Roth	ab3baa9463	Merge pull request #1534 from SpeedyFireCyclone/mdatp_serviceinstalled MDATP ServiceInstalled mapping	2021-06-10 09:05:56 +02:00
$frack113$ frack113	a600e2dcaa	forget a print debug	2021-06-10 08:49:15 +02:00
$frack113$ frack113	af1aee9541	Add filter condition= and condition!=	2021-06-10 08:26:19 +02:00
$frack113$ frack113	1b4d4cfb82	Add missing sysmon EventID	2021-06-09 12:52:38 +02:00
Joshua Roys	2034d36677	Add support for Elastic EQL The EQL backend supports translation of the "near" aggregation into EQL sequences. Additionally, the es-rule backend now has a sibling es-rule-eql backend that outputs EQL queries instead of qs.	2021-06-08 13:38:38 -04:00
$frack113$ frack113	e66a3f9513	T1562.001 Attempting to disable scheduled scanning and other parts of windows defender atp.	2021-06-07 15:03:19 +02:00
$frack113$ frack113	3d9fe490ab	Detect modification of sysmon configuration by sysmon	2021-06-04 11:27:15 +02:00
Remco Hofman	0aa05f53e9	MDATP ServiceInstalled event mapping	2021-06-03 21:43:52 +02:00
Florian Roth	2115bfcd75	Merge pull request #1519 from frack113/esrule_new_option Add some fun backend option for es-rule	2021-06-03 20:50:44 +02:00
$frack113$ frack113	bf98f43850	Set powershell_alternate_powershell_hosts.yml more accurate by adding the correct channel for EventID	2021-06-01 10:47:17 +02:00
$frack113$ frack113	aa34ff8e3c	Addition of `System` channel for more accurate detection	2021-05-30 09:27:08 +02:00
$frack113$ frack113	7ec513f1d0	Fix error when use `-< namefile.yml` in commandline as I never use it	2021-05-28 12:47:37 +02:00
$frack113$ frack113	b3a608599a	Add some fun backend option for es-rule	2021-05-28 10:51:08 +02:00
Florian Roth	6e31bc3037	Merge pull request #1485 from V1D1AN/master Update ecs-zeek-elastic-beats-implementation.yml	2021-05-27 14:59:14 +02:00
Florian Roth	ffeda2a2a2	Merge pull request #1492 from frack113/es_rule_uuid Fix errors when import es-rule ndjson to KIBANA	2021-05-27 10:24:39 +02:00
Florian Roth	f98716c672	Merge pull request #1500 from frack113/sigmac_add_time_filter Sigmac add new filter	2021-05-27 10:16:19 +02:00
Florian Roth	d06f2bcf14	fix: sysmon backend "startswith"	2021-05-26 15:42:16 +02:00
Florian Roth	bb71860fb2	Merge pull request #1509 from vastlimits/feature/update-6.1 Updated uberAgent backend to support version 6.1.	2021-05-26 13:08:08 +02:00
$frack113$ frack113	0e688d8dd0	Add the 'logsource!=' filter	2021-05-22 09:04:30 +02:00
$frack113$ frack113	f213226eb4	Add the 'tag!=' filter	2021-05-22 08:57:42 +02:00
$frack113$ frack113	8aa3ea15d7	change to the more revealing name "inlastday"	2021-05-22 08:44:30 +02:00
$frack113$ frack113	8a8f003d15	add lastday filter to get only the rule update or create in the last N days lastday=0 is all :)	2021-05-21 19:31:06 +02:00
$frack113$ frack113	b92b765f9a	Fix import to kibana error 400 severity is invalid.	2021-05-20 13:14:43 +02:00
$frack113$ frack113	cbb81cdf86	Fix import to kibana error 400 rish_score is null. rish_score is a integer. If level is invalid set to medium	2021-05-20 12:32:19 +02:00
$frack113$ frack113	f0974e9cf3	Fix : false_positives must be a array. If null add "Unknown". If it is a string convert to a simple array row	2021-05-20 11:20:38 +02:00
$frack113$ frack113	76523c5dbf	fix [#1486 ](https://github.com/SigmaHQ/sigma/issues/1486 ). rule_id is always an uuid now. For the rule-collection with only one uuid : - first detection get the uuid - other detection get a new uuid it is a palliative, because the secondary uuid are not kept between 2 launches. best practice is to use one uuid per detection and not files.	2021-05-20 08:42:58 +02:00

1 2 3 4 5 ...

973 Commits