valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4,285 Commits 20 Branches 25 Tags 21 MiB
ec490b40ec
Commit Graph

175 Commits

Author SHA1 Message Date
jaegeral
e1f43f17c2 fixed various spelling errors all over rules and source code 2021-02-24 14:43:13 +00:00
Florian Roth
11c216629b fix: thor sources for applocker with wrong prefix 2021-01-07 12:27:37 +01:00
maravedi
fa6f75f07e
Update sumologic.yml 
The commit from vihreb on October 6, 2020 (51df5ad876) removed some items from the allowed fields list for the sumologic backend (51df5ad876/tools/sigma/backends/sumologic.py (L161)) with the expectation that they are included in the sumologic config, however the default sumologic config does not reflect that change. This breaks the parsing of maps from rules. For example, when trying to run sigmac on a rule with multiple EventID values, the result is an error that states "argument of type 'int' is not iterable."

I suspect that this change in the behavior of the backend was made to accommodate for new sumologic-cse config which may not need the additional allowed fields that the regular sumologic config does. As such, I think it would probably make the most sense to re-add these fields to the sumologic config file rather than directly back into the backend for sumologic.

Note: In the config, I did not include those fields that are presently hard coded in the allowed field list in the sumologic backend (e.g. _sourceCategory and _view were removed). I also removed "sourcename" since from what I can tell, the syntax that vihreb added to the sumologic backend "_sourceName" is actually correct.
 2020-12-28 16:46:32 -05:00
Florian Roth
d1f7a206b9
Merge pull request #1289 from weslambert/master 
Fix typo
 2020-12-13 19:04:07 +01:00
findthebad
ad899899ab Updated winlogbeat.yml config to include OriginalFileName 2020-11-26 14:48:14 -05:00
Helge Aksdal
3a7c114ca3 Fix field mapping for DestinationHostname 2020-11-26 04:17:28 +01:00
Thomas Patzke
0ed54a6cae
Merge pull request #1290 from arollyson/helix_backend 
Backend: FireEye Helix
 2020-11-21 00:06:19 +01:00
Alek Rollyson
83b8af6cd2 Add FirEye Helix backend 2020-11-19 11:18:28 -05:00
weslambert
832e582b8d
Fix typo 2020-11-17 17:44:40 -05:00
Florian Roth
9944c0e563 Merge branch 'master' into pr/1267 2020-11-17 14:33:55 +01:00
heyibrahimkhan@gmail.com
eed4fe04d5 added role name field to ecs-cloudtrail. 2020-11-13 05:59:55 +05:00
Thomas Patzke
43b9b17767
Merge pull request #1281 from andurin/kibana-ndjson-configs 
kibana-ndjson for all configs which already have kibana
 2020-11-11 07:34:37 +01:00
Hendrik
7e742cc049 kibana-ndjson for all configs which already have kibana 2020-11-09 08:46:17 +01:00
Hendrik
bf5d40eec3 New Backend - Kibana NDJSON 
Tested against 7.9.3
 2020-11-05 23:34:25 +01:00
Jonhnathan
90e211bad8
Create ecs-suricata.yml 2020-11-01 21:21:04 -03:00
vh
51df5ad876 Added: 
Sumo Logic CSE Rule Backend

Updated:
Mapping depence on logsource
Azure Sentinel Query Backend
MDATP: query with few logsources
CROWDSTRIKE: fix generateMapItemTypedNode
 2020-10-06 15:07:52 +03:00
snake-jump
64035fd799 initial commit for Netwitness-EPL backend 2020-09-10 17:12:12 +02:00
tung12
172f7b371e Change mapped Image to path 2020-08-17 15:05:44 +07:00
Dermott, Scott J
7e6828dd40 + Adding Mitre Sub-Techniques and python update script to fetch latest Pre, Enterprise & Mobile Tactics and Techniques from Mitre CTI 2020-08-13 10:24:44 +01:00
bar
8352eefe22 STIX Support keywords (value without field) 2020-07-28 18:52:02 +03:00
bar
de475bb500 updated STIX mapping for more rule fields 2020-07-27 14:36:30 +03:00
bar
9643e01b54 extension should use '..' 2020-07-26 12:16:48 +03:00
bar
5019f2f160 added mapping for stix web, cloud, linux 2020-07-22 21:41:46 +03:00
bar
0543ec1ae3 mapping update, removed unused fields 2020-07-21 19:49:26 +03:00
bar
83623f396c Merge remote-tracking branch 'upstream/master' 2020-07-21 17:22:06 +03:00
bar
da30266c60 ImageLoaded mapping added 2020-07-21 17:21:14 +03:00
Sander
94272c7770 Revert "Ref #933 - Added windows Process Creation to config" 
This reverts commit 6c35a7afa0.
 2020-07-16 14:30:17 +02:00
Sander
6c35a7afa0 Ref #933 - Added windows Process Creation to config 2020-07-16 13:16:57 +02:00
Pushkarev Dmitry
6c999df3b7 Added AppLocker log source 2020-07-13 20:48:06 +00:00
Pushkarev Dmitry
8e3f973e69 Added AppLocker log source 2020-07-13 20:46:49 +00:00
Pushkarev Dmitry
bdfb646228 Added AppLocker log source 2020-07-13 20:45:30 +00:00
Pushkarev Dmitry
364af53902 Added AppLocker log source 2020-07-13 20:44:03 +00:00
Pushkarev Dmitry
326cf05a74 Added AppLocker log source 2020-07-13 20:41:54 +00:00
Pushkarev Dmitry
46a6183745 Added AppLocker log source 2020-07-13 20:32:03 +00:00
Pushkarev Dmitry
a58e037509 Added AppLocker log source 2020-07-13 20:30:02 +00:00
Pushkarev Dmitry
7fb2e2b845 Added AppLocker log source 2020-07-13 20:29:13 +00:00
Pushkarev Dmitry
e376948258 Added AppLocker log source 2020-07-13 20:27:52 +00:00
Pushkarev Dmitry
0d925896b9 Added AppLocker log source 2020-07-13 20:23:42 +00:00
Pushkarev Dmitry
c30a256030 Added AppLocker log source 2020-07-13 20:21:46 +00:00
Pushkarev Dmitry
1da229e3a9 Added AppLocker log source 2020-07-13 20:20:28 +00:00
Pushkarev Dmitry
3a19e3cf23 Added AppLocker log source 2020-07-13 20:18:01 +00:00
bar
ca7cf8478d - IntegrityLevel mapping to integritylevel 2020-07-08 19:37:24 +03:00
bar
8855a87dbf - TargetProcessAddress mapping should be as startaddress mapping 
- remove extra '-'
 2020-07-08 17:35:57 +03:00
bar
8889ae21ca DestinationPort to network-traffic:dst_port mapping fix 2020-07-08 14:31:04 +03:00
bar
acbab2db4b stix backend + mapping configurations for windows logs and qradar 2020-07-07 15:04:16 +03:00
Florian Roth
c8ca55b3e4 fix: duplicate wrong old key 2020-07-06 17:14:59 +02:00
Florian Roth
cc31ed8b84 fix: missing NTLM log source in THOR 2020-07-06 17:07:06 +02:00
Thomas Patzke
939156fa6d Introduced dns_query log source category 2020-07-05 23:29:51 +02:00
Brad Kish
8b3b312c4e Proposed fix for https://github.com/Neo23x0/sigma/issues/889 
This change removes dns events from the network connection category. The
one change is that sysmon_regsvr32_network_activity.yml needs to test
the network connection category separately from the DNS event id.
 2020-07-03 16:28:19 -04:00
Thomas Patzke
43e5ae5d24 Added Windows NTLM log source + fixes 2020-07-02 23:20:36 +02:00