Sigma is a useful tool for sharing threat detection information, focused on detecting anomalies in log data such as computer processes, commands, and operations associated with malware or malicious tools. Sigma operates on threat data captured from various sources, while also enabling threat hunters to aggregate events which would otherwise be hard to detect through traditional methods. This means that threat hunters can derive actionable insights from high-fidelity data, and potentially catch an attempted attack earlier in the cyber kill chain.
Sigma is shared in a generic format that is applicable to any type of log file, and needs to be translated to implement into your SIEM tool such as Splunk Enterprise or Splunk Enterprise Security.
Additionally, leveraging Sigma rules supports analysts in moving up the pyramid of pain - from detecting single indicators of compromise (IOCs) contained in network traffic events to specific detections and patterns of behavior. When implemented effectively, Sigma rules can help filter out noise by alerting on multiple parts of a detection versus a single IOC correlation.
We will Integrate Mitre Attack Framework with DatalaiQ. First of all need to work on Detection Rule sets. Based on the detetctions we will integrate Mitre techniques and tactics by using lookup modules as a resource.
Here we choosed Sigma Rules need to convert into DatalaiQ queries manually as there is no conversion tool available for DQ.
Sigma is a useful tool for sharing threat detection information, focused on detecting anomalies in log data such as computer processes, commands, and operations associated with malware or malicious tools. Sigma operates on threat data captured from various sources, while also enabling threat hunters to aggregate events which would otherwise be hard to detect through traditional methods. This means that threat hunters can derive actionable insights from high-fidelity data, and potentially catch an attempted attack earlier in the cyber kill chain.
Sigma is shared in a generic format that is applicable to any type of log file, and needs to be translated to implement into your SIEM tool such as Splunk Enterprise or Splunk Enterprise Security.
Additionally, leveraging Sigma rules supports analysts in moving up the pyramid of pain - from detecting single indicators of compromise (IOCs) contained in network traffic events to specific detections and patterns of behavior. When implemented effectively, Sigma rules can help filter out noise by alerting on multiple parts of a detection versus a single IOC correlation.
Log types supported by Sigma rules include:
Operating system logs Event logs Process creation and auditing logs Sysmon events Proxy/VPN networking logs Web application logs Firewall logs
Splunk App references:
https://github.com/SigmaHQ/sigma
https://github.com/dstaulcu/TA-Sigma-Searches
https://github.com/P4T12ICK/Sigma-Hunting-App
We will Integrate Mitre Attack Framework with DatalaiQ. First of all need to work on Detection Rule sets. Based on the detetctions we will integrate Mitre techniques and tactics by using lookup modules as a resource.
Here we choosed Sigma Rules need to convert into DatalaiQ queries manually as there is no conversion tool available for DQ.
MITRE ATT&CK®
sigconverter.io - sigma rule converter
sigma/rules at master · SigmaHQ/sigma
Task are https://github.com/orgs/pipelinelabo/projects/5/views/1?pane=issue&itemId=68636245