Integrate Sigma rules via OpenSearch Security Analytics #162

mmguero · 2023-03-14T14:57:57Z

How could Malcolm integrate sigma?

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what Snort is for network traffic and YARA is for files.

OpenSearch Security Analytics plugin uses Sigma. Malcolm actually includes this plugin just because it's part of OpenSearch, but we're not really doing anything with it.
I think Elastic SIEM does as well (?)

mavam · 2023-03-14T19:19:33Z

The current sigmac is going to be deprecated by the end of the year. If you start with this now, I would highly recommend going the pySigma route. That said, I don't know whether the Elasticsearch backend also supports OpenSearch.

You could also consider writing a transpiler, as we did in VAST.

mmguero · 2023-03-14T19:32:37Z

Thanks for the suggestion!

mmguero · 2024-10-03T16:03:53Z

Sigma taxonomy
- for mapping, note how product and service seem pretty much to line up with our event.provider and event.dataset.
log types and mapping

mmguero · 2024-10-03T20:56:57Z

See this thread for an issue I'm having.

mmguero · 2024-11-05T05:05:28Z

Kamino closed and cloned this issue to cisagov/Malcolm

mmguero added enhancement New feature or request research Research or proof-of-concept for an idea labels Mar 14, 2023

mmguero added this to Malcolm Mar 14, 2023

mmguero moved this to Todo (spike) in Malcolm Mar 14, 2023

mmguero mentioned this issue Sep 5, 2023

research and create detectors for items from the Known Exploited Vulnerabilities Catalog #251

Closed

mmguero added the CISA label Nov 13, 2023

mmguero added this to the z.staging milestone Jan 15, 2024

mmguero modified the milestones: z.staging, v24.04.0, v24.05.0 Mar 27, 2024

mmguero modified the milestones: v24.05.0, z.staging Apr 8, 2024

mmguero removed the CISA label May 7, 2024

mmguero modified the milestone: z.staging Aug 20, 2024

mmguero modified the milestones: z.staging, v24.10.0 Oct 1, 2024

mmguero self-assigned this Oct 3, 2024

mmguero moved this from Todo (investigate) to In Progress in Malcolm Oct 3, 2024

mmguero added dashboards Relating to Malcolm's OpenSearch Dashboards interface logstash Relating to Malcolm's use of Logstash and removed research Research or proof-of-concept for an idea labels Oct 3, 2024

mmguero changed the title ~~sigma rules integration~~ Integrate Sigma rules via OpenSearch Security Analytics Oct 3, 2024

mmguero modified the milestones: v24.10.0, v24.10.1 Oct 7, 2024

mmguero modified the milestones: v24.10.1, z.staging Oct 9, 2024

mmguero mentioned this issue Nov 5, 2024

Integrate Sigma rules via OpenSearch Security Analytics cisagov/Malcolm#475

Open

mmguero closed this as completed Nov 5, 2024

github-project-automation bot moved this from In Progress to Done in Malcolm Nov 5, 2024

mmguero moved this from Done to Migrated in Malcolm Nov 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Integrate Sigma rules via OpenSearch Security Analytics #162

Integrate Sigma rules via OpenSearch Security Analytics #162

mmguero commented Mar 14, 2023

mavam commented Mar 14, 2023

mmguero commented Mar 14, 2023

mmguero commented Oct 3, 2024

mmguero commented Oct 3, 2024

mmguero commented Nov 5, 2024

Integrate Sigma rules via OpenSearch Security Analytics #162

Integrate Sigma rules via OpenSearch Security Analytics #162

Comments

mmguero commented Mar 14, 2023

mavam commented Mar 14, 2023

mmguero commented Mar 14, 2023

mmguero commented Oct 3, 2024

mmguero commented Oct 3, 2024

mmguero commented Nov 5, 2024