For more detailed information see the Sigma wiki which is well documented and easy to read. The example below will cover basic components of the Sigma specification. In this post we will show you an example how to translate a Sigma rule into a streaming Q:CYBER rule using the rules builder workflow. The public Sigma repository is full of rules contributed by the security community which includes detections for Windows, Linux, and AWS services among many others. Sigma is for log files what Snort is for network traffic and YARA is for files.” The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. The rule format is very flexible, easy to write and applicable to any type of log file. According to the Sigma documentation, “Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. One such example is the community-driven Sigma rule specification. The security community has released many great resources to help with building an effective security program. In this post, we're going to explore a related topic: how to use the open-source Sigma signature rule specification in Q:CYBER. And, in our last installment, we explored how to create windowed rules in Q:CYBER to support advanced detections (such as with password spraying attacks). In Part 4, we discussed how to use Q:CYBER rule templates to detect Pass-the-Hash attacks based on Windows Event Logs. In part 3, we reviewed how to create simple rules using the Q:CYBER Rules Builder. In part 2 we described in more detail how our streaming rules engine works. In part 1 we covered how to configure NXLog to forward Windows Event Logs (WEL) into Q:CYBER. This is the sixth installment of our series on Q:CYBER.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |