valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
5c4fd3a122
SigmaHQ/CHANGELOG.md
Thomas Patzke 5c4fd3a122 Release 0.20
2021-08-14 00:25:12 +02:00

274 lines
6.8 KiB
Markdown
Raw Blame History

# Release Notes
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0.
## 0.20 - 2021-08-14
### Added
* Devo backend
* Fields selection added to SQL backend
* Linux/MacOS support for MDATP backend
* Output results as generic YAML/JSON
* Hash normalization option (hash_normalize) for Elasticsearch wildcard handling
* ALA AWS Cloudtrail and Azure mappings
* Logrhytm backend
* Splunk Data Models backend
* Further log sources used in open source Sigma ruleset
* CarbonBlack EDR backend
* Elastic EQL backend
* Additional conversion selection filters
* Filter negation
* Specifiy table in SQL backend
* Generic registry event log source
* Chronicle backend
### Changed
* Elastic Watcher backend populates name attribute instead of title.
* One item list optimization.
* Updated Winlogbeat mapping
* Generic mapping for Powershell backend
### Fixed
* Elastalert multi output file
* Fixed duplicate output in ElastAlert backend
* Escaping in Graylog backend
* es-rule ndjson output
* Various fixes of known bugs
## 0.19.1 - 2021-02-28
### Changed
* Added LGPL license to distribution
## 0.19 - 2021-02-23
### Added
* New parameters for Elastic backends
* Various field mappings
* FireEye Helix backend
* Generic log source image_load
* Kibana NDJSON backend
* uberAgent ESA backend
* SumoLogic CSE backend
### Changed
* Updated mdatp backend fields
* QRadar query generation optimized
* MDATP: case insensitive search
### Fixed
* Fixing Qradar implementation for create valid AQL queries
* Nested conditions
* Various minor bug fixes
## 0.18.1 - 2020-08-25
Release created for technical reasons (issues with extended README and PyPI), no real changes done.
## 0.18.0 - 2020-08-25
### Added
* C# backend
* STIX backend
* Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other)
* More generic log sources
* Windows Defender log sources
* Generic DNS query log source
* AppLocker log source
### Changed
* Improved backend and configuration descriptions
* Microsoft Defender ATP mapping updated
* Improved handling of wildcards in Elastic backends
### Fixed
* Powershell backend: key name was incorrectly added into regular expression
* Grouping issue in Carbon Black backend
* Handling of default field mapping in case field is referenced multiple from a rule
* Code cleanup and various fixes
* Log source mappings in configurations
* Handling of conditional field mappings by Elastic backends
## 0.17.0 - 2020-06-12
### Added
* LOGIQ Backend (logiq)
* CarbonBlack backend (carbonblack) and field mappings
* Elasticsearch detection rule backend (es-rule)
* ee-outliers backend
* CrowdStrike backend (crowdstrike)
* Humio backend (humio)
* Aggregations in SQL backend
* SQLite backend (sqlite)
* AWS Cloudtrail ECS mappings
* Overrides
* Zeek configurations for various backends
* Case-insensitive matching for Elasticsearch
* ECS proxy mappings
* RuleName field mapping for Winlogbeat
* sigma2attack tool
### Changed
* Improved usage of keyword fields for Elasticsearch-based backends
* Splunk XML backend rule titles from sigma rule instead of file name
* Moved backend option list to --help-backend
* Microsoft Defender ATP schema improvements
### Fixed
* Splunx XML rule name is now set to rule title
* Backend list deduplicated
* Wrong escaping of wildcard at end of value when startswith modifier is used.
* Direct execution of tools on Windows systems by addition of script entry points
## 0.16.0 - 2020-02-25
### Added
* Proxy field names to ECS mapping (ecs-proxy) configuration
* False positives metadata to LimaCharlie backend
* Additional aggregation capabilitied for es-dsl backend.
* Azure log analytics rule backend (ala-rule)
* SQL backend
* Splunk Zeek sourcetype mapping config
* sigma2attack script
* Carbon Black backend and configuration
* ArcSight ESM backend
* Elasticsearch detection rule backend
### Changed
* Kibana object id is now Sigma rule id if available. Else
the old naming scheme is used.
* sigma2misp: replacement of deprecated method usage.
* Various configuration updates
* Extended ArcSight mapping
### Fixed
* Fixed aggregation queries for Elastalert backend
* Fixed aggregation queries for es-dsl backend
* Backend and configuration lists are sorted.
* Escaping in ala backend
## 0.15.0 - 2019-12-06
### Added
* sigma-uuid tool for addition and check of Sigma rule identifiers
* Default configurations
* Restriction of compared rules in sigma-similarity
* Regular expression support in es-dsl backend
* LimaCharlie support for proxy rule category
* Source distribution for PyPI
### Changed
* Type errors are now ignored with -I
### Fixed
* Removed wrong mapping of CommandLine field mapping in THOR config
## 0.14 - 2019-11-10
### Added
* sigma-similarity tool
* LimaCharlie backend
* Default configurations for some backends that are used if no configuration is passed.
* Regular expression support for es-dsl backend (propagates to backends derived from this like elastalert-dsl)
* Value modifiers:
* startswith
* endswith
### Changed
* Removal of line breaks in elastalert output
* Searches not bound to fields are restricted to keyword fields in es-qs backend
* Graylog backend now based on es-qs backend
### Fixed
* Removed ProcessCommandLine mapping for Windows Security EventID 4688 in generic
process creation log source configuration.
## 0.13 - 2019-10-21
### Added
* Index mappings for Sumologic
* Malicious cmdlets in mdatp
* QRadar support for keyword searches
* QRadar mapping improvements
* QRadar field selection
* QRadar type regex modifier support
* Elasticsearch keyword field blacklisting with wildcards
* Added dateField configuration parameter in xpack-watcher backend
* Field mappings in configurations
* Field name mapping for conditional fields
* Value modifiers:
* utf16
* utf16le
* wide
* utf16be
### Changed
* Improved --backend-config help text
### Fixed
* Backend errors in ala
* Slash escaping within es-dsl wildcard queries
* QRadar backend config
* QRadar field name and value escaping and handling
* Elasticsearch wildcard detection pattern
* Aggregation on keyword field in es-dsl backend
## 0.12.1 - 2019-08-05
### Fixed
* Missing build dependency
## 0.12 - 2019-08-01
### Added
* Usage of "Channel" field in ELK Windows configuration
* Fields to mappings
* xpack-watcher actions index and webhook
* Config for Winlogbeat 7.x
* Value modifiers
* Regular expression support
### Changed
* Warning/error messages
* Sumologic value cleaning
* Explicit OR for Elasticsearch query strings
* Listing of available configurations on missing configuration error
### Fixed
* Conditions in es-dsl backend
* Sumologic handling of null values
* Ignore timeframe detection keyword in all/any of conditions
Reference in New Issue View Git Blame Copy Permalink