Why does Securonix support Sigma formats?
Cybersecurity professionals must navigate an ever-changing landscape of threats that no individual security engineer or organization can handle alone. To succeed, security professionals must work together to identify and resolve threats as a community and agree on common languages to effectively communicate with each other.
Securonix is committed to supporting open data formats in our products. We understand how important sharing information is within the security community. Sigma is an open format we support in order to aid our customers in sharing indicators of compromise (IOC) and standard log formats. Our Sigma integrations affirm our commitment to being an open platform, as well as providing the resources necessary for customers to convert these rules in Sigma formats to our SearchMore capabilities.
A Brief Introduction to Sigma
Sigma provides a standard format for log events and creates a standard format for file threat IOCs. Sigma provides a common language for SIEM platforms and malware researchers to communicate. A Sigma rule is a YAML file with standardized sections and structured fields that all vendors utilize. These Sigma rules are then translated by the SIEM into the distinct SIEM language, with the most important part being the detection section which identifies the logic of the rule.
Below is an example of a Sigma rule that looks at the use case WHOAMI Privilege Escalation:
action: global
title: Whoami Execution
status: experimental
description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators
references:
– https://twitter.com/haroonmeer/status/939099379834658817
– https://twitter.com/c_APT_ure/status/939475433711722497
author: Florian Roth
date: 2018/05/22
tags:
– attack.discovery
– attack.t1033
detection:
condition: selection
falsepositives:
– Admin activity
– Scripts and administrative tools used in the monitored environment
level: high
—
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: whoami
—
logsource:
product: windows
service: security
definition: ‘Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation’
detection:
selection:
EventID: 4688
NewProcessName: ‘*\whoami.exe’
How does Securonix leverage Sigma to bolster security teams’ efforts?
Securonix translates Sigma rules into regex patterns that are run against live, raw data. The output is then ingested into Securonix to be used for correlation and alerting to aid security teams.
Below are the regex patterns from the same WHOAMI use case above:
grep -P ‘^(?:.*(?=.*1)(?=.*whoami))’
grep -P ‘^(?:.*(?=.*4688)(?=.*.*\whoami\.exe))’