Skip to content

Detection Guide

V1D1AN edited this page Nov 13, 2021 · 15 revisions

The architecture of detection:

20210518_s1em_archi--detection


Detection with Sigma:

In the solution of S1EM, the sigma rules are automatically injected into Kibana.


Rules Sigma

With the work of Frack113 for Sigma, we have informations for the supervisors like the url of rule of sigma, or additional tags


Rules Sigma Example

For the example, i do a "Whoami":

Whoami exemple

I have the detection of my Whoami in the interface of Kibana:

detection

If you click on the analyzed icon of Kibana:

detection2

You have the full way of the "Whoami":

detection3

Now, if you want to send the alert to TheHive, you must select the alerts and click on "Selected alerts", select "Mark as acknowledged":

detection4

Your alert arrives in TheHive:

Alert_send_to_thehive

You can click on "Preview import" for see the alert:

Alert_thehive

Detection with Elastic Rules:

If you want to use the rule of elasticsearch, go to Kibana Interface.

Security >> Detections >> Manage Detection Rules >> Load Elastic prebuilt rules

Detection with Suricata:

With S1EM, the "suricata-rules.ndjson" in the folder sigma is imported into Elastic SIEM and you can have the detection of suricata:

Detection Suricata

If you click on the "Detection suricata", you have the detail of the rule:

Detection Suricata Details

Now, you have in Elastic SIEM, the alerts of "Suricata":

Detection Suricata Elastic SIEM

Detection with Indicator of compromise:

With S1EM, the "ioc-rules.ndjson" in the folder elastic is imported into Elastic SIEM and you can have the detection with the indicator of compromise from Misp:

Detection Ioc

Detection with Yara:

With S1EM, the "yara-rules.ndjson" in the folder elastic is imported into Elastic SIEM and you can have the detection with yara rules from Yara-rules (https://github.com/Yara-Rules/rules):

Yara

Detection with Clamav:

With S1EM, the "clamav-rules.ndjson" in the folder elastic is imported into Elastic SIEM and you can have the detection with clamav rules:

Clamav

Clone this wiki locally