Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate Sigma rules via OpenSearch Security Analytics #475

Open
mmguero opened this issue Nov 5, 2024 · 4 comments
Open

Integrate Sigma rules via OpenSearch Security Analytics #475

mmguero opened this issue Nov 5, 2024 · 4 comments
Assignees
@mmguero
Labels
dashboards Relating to Malcolm's OpenSearch Dashboards interface enhancement New feature or request logstash Relating to Malcolm's use of Logstash
Milestone
z.staging

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 5, 2024

@mmguero cloned issue idaholab/Malcolm#162 on 2023-03-14:

How could Malcolm integrate sigma?

Sigma:

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what Snort is for network traffic and YARA is for files.

  • OpenSearch Security Analytics plugin uses Sigma. Malcolm actually includes this plugin just because it's part of OpenSearch, but we're not really doing anything with it.

  • I think Elastic SIEM does as well (?)
@mmguero mmguero added dashboards Relating to Malcolm's OpenSearch Dashboards interface enhancement New feature or request logstash Relating to Malcolm's use of Logstash labels Nov 5, 2024
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@mavam commented on 2023-03-14:

The current sigmac is going to be deprecated by the end of the year. If you start with this now, I would highly recommend going the pySigma route. That said, I don't know whether the Elasticsearch backend also supports OpenSearch.

You could also consider writing a transpiler, as we did in VAST.

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@mmguero commented on 2023-03-14:

Thanks for the suggestion!

@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@mmguero commented on 2024-10-03:

@mmguero mmguero mentioned this issue Nov 5, 2024
Closed
@mmguero
Copy link
Collaborator Author

mmguero commented Nov 5, 2024

@mmguero commented on 2024-10-03:

See this thread for an issue I'm having.

@mmguero mmguero added this to Malcolm Nov 5, 2024
@mmguero mmguero added this to the z.staging milestone Nov 5, 2024
@mmguero mmguero self-assigned this Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
dashboards Relating to Malcolm's OpenSearch Dashboards interface enhancement New feature or request logstash Relating to Malcolm's use of Logstash
Projects
Malcolm
Status: No status
Milestone
z.staging
Development

No branches or pull requests
1 participant
@mmguero