-
Notifications
You must be signed in to change notification settings - Fork 80
Detection Guide
In the solution of S1EM, the sigma rules are automatically injected into Kibana.
With the work of Frack113 for Sigma, we have informations for the supervisors like the url of rule of sigma, or additional tags
For the example, i do a "Whoami":
I have the detection of my Whoami in the interface of Kibana:
If you click on the analyzed icon of Kibana:
You have the full way of the "Whoami":
Now, if you want to send the alert to TheHive, you must select the alerts and click on "Selected alerts", select "Mark as acknowledged":
Your alert arrives in TheHive:
You can click on "Preview import" for see the alert:
If you want to use the rule of elasticsearch, go to Kibana Interface.
Security >> Detections >> Manage Detection Rules >> Load Elastic prebuilt rules
With S1EM, the "suricata-rules.ndjson" in the folder sigma is imported into Elastic SIEM and you can have the detection of suricata:
If you click on the "Detection suricata", you have the detail of the rule:
Now, you have in Elastic SIEM, the alerts of "Suricata":
With S1EM, the "ioc-rules.ndjson" in the folder elastic is imported into Elastic SIEM and you can have the detection with the indicator of compromise from Misp:
With S1EM, the "yara-rules.ndjson" in the folder elastic is imported into Elastic SIEM and you can have the detection with yara rules from Yara-rules (https://github.com/Yara-Rules/rules):
With S1EM, the "clamav-rules.ndjson" in the folder elastic is imported into Elastic SIEM and you can have the detection with clamav rules: