Implementing and running effective security logging systems is a complex task that takes a lot of work and money. For the most part dumping logs into a backend logging system like a SIEM is like collecting a huge pile of garbage. This is a bit overwhelming when you actually think about the amount of work in the log injest pipeline to even get logs into the SIEM and then realize its just a huge s%!+ pile. The reality is that most organizations have too many of useless logs and to few of useful logs.
To make those logs useful into alert rules, reports and dashboards takes a lot of work. SIEM vendors tried to add these alert rules, reports and dashboards as SIEM "content" for their customers, but overwhelmingly pre-packaged SIEM content is not that useful. There are a number of reasons for this including some extremely poor business decisions by SIEM vendors. In SIEM vendors defense, they don't know everyone's environment, so they need to make the pre-packaged content very generic. The pre-packages SIEM content typically becomes so generic that it isn't useful.
In comes one of the major costs of making SIEMs effective. A cyber engineer that puts a lot of work into developing effective SIEM content for the implementation. In order to build this effective SIEM content this cyber engineer not only needs time but also needs some fairly high-level skill sets. Some of the skills they need to be effective include:
Understanding of Logging system/SIEM log format and query syntax
System administration understanding of the underlying technology creating the logs (e.g., Windows, Linux, Network, etc)
What threat actors are doing and how their activities are showing up in log IOCs and TTPs
Incident Response (IR) concepts. How would the display results help an investigator, SOC analyst etc.
Plain old trial and error
If you have these experts working on your SIEM implementation that is great and you are probably running a better security operation. But there are still some major problems looming. Let's say you want to move from Splunk to Elastic who is going to change the syntax of all the log rules, and queries? Additionally, there are new threats and technologies appearing all the time; who is going to do all the work to keep creating effective SIEM content for your organization.
Gitification of Log rules - Sigma
In 2017 security researchers Florian Roth and Thomas Patzke started something called the Sigma project. The goal of the Sigma project, https://github.com/SigmaHQ/sigma , is to abstract log detection rules to make them SIEM agnostic and more easily shareable between security researchers. An analogy many people use when describing Sigma is that Sigma is to event logs like yara is to AV signatures or SNORT/Suricata rules are signatures for network traffic (i.e., Sigma is like signatures for logs).
The anatomy of a Sigma rule is simple. They are written in yaml format, and have a top meta-data section that is used to track data related to the Sigma rule. Sigma rules start with metadata related to the rule such as the title of the rule, author, references and tags. The main sections related to how the Sigma rule works are in the "log source" and "detection" sections.
This standardization of log detection rules through Sigma allows for simpler transfer of log detection rules across SIEM platforms.
An added benefit of Sigma is that researcher log detections are vendor agnostic.
What is SOC Prime?
SOC Prime https://socprime.com/ is a for-profit company started by the founders of Sigma. SOC Prime isn't necessary to use Sigma rules; anyone can use Sigma rules.
The value add of SOC Prime is that if you purchase their paid for service you get:
Access to their Sigma rules conversions service
Access to new emerging log threat detection rules developed by their researchers
Access to SOC Prime community developed log detection rules content
Access to their Sigma rules conversions service
List of SOC Prime supported SIEM platforms.
Access to new emerging log threat detection rules developed by their researchers.
The graphic below shows how Florian Roth quickly developed a Sigma log detection rule for the high profile exploit CVE-2023-23397 (Outlook)
With a service like SOC Prime you can quickly convert this rule into your SIEM platform and integrate it into your SOC rule alerting, reports/dashboards and threat hunting programs.
Other Good References Related to Sigma
Site allows you to convert sigma rules to log queries like Splunk, Elastic, etc.
Comments