Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sigma rules integration #162

Open
mmguero opened this issue Mar 14, 2023 · 2 comments
Open

sigma rules integration #162

mmguero opened this issue Mar 14, 2023 · 2 comments
Labels
enhancement New feature or request research Research or proof-of-concept for an idea
Milestone
z.staging

Comments

@mmguero
Copy link
Collaborator

mmguero commented Mar 14, 2023

How could Malcolm integrate sigma?

Sigma:

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what Snort is for network traffic and YARA is for files.

  • OpenSearch Security Analytics plugin uses Sigma. Malcolm actually includes this plugin just because it's part of OpenSearch, but we're not really doing anything with it.
  • I think Elastic SIEM does as well (?)
@mmguero mmguero added enhancement New feature or request research Research or proof-of-concept for an idea labels Mar 14, 2023
@mavam
Copy link

mavam commented Mar 14, 2023

The current sigmac is going to be deprecated by the end of the year. If you start with this now, I would highly recommend going the pySigma route. That said, I don't know whether the Elasticsearch backend also supports OpenSearch.

You could also consider writing a transpiler, as we did in VAST.

@mmguero
Copy link
Collaborator Author

mmguero commented Mar 14, 2023

Thanks for the suggestion!

@mmguero mmguero mentioned this issue Sep 5, 2023
Closed
@mmguero mmguero added the CISA label Nov 13, 2023
@mmguero mmguero added this to the z.staging milestone Jan 15, 2024
@mmguero mmguero modified the milestones: z.staging, v24.04.0, v24.05.0 Mar 27, 2024
@mmguero mmguero modified the milestones: v24.05.0, z.staging Apr 8, 2024
@mmguero mmguero removed the CISA label May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request research Research or proof-of-concept for an idea
Projects
Malcolm
Status: Todo (investigate)
Milestone
z.staging
Development

No branches or pull requests
2 participants
@mavam @mmguero