Sigma Rules

Most recent version: v0.0.1

PreviousDetection NextEnrichment

Last updated 21 days ago

Was this helpful?

Sigma Rules

Most recent version: v0.0.1

See the changelog of this Action type .

Note that this Action is only available in certain Tenants. if you don't see it and want to access it.

Overview

The Sigma Rules Action detects whether an event matches one or several . By evaluating Sigma rules inline on raw events, threats can be detected as logs are created.

This Action allows you to explicitly map these rule fields to the corresponding fields in your log schema.

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - All the events processed by the Action without errors will exit through this output, regardless of the result of the evaluation against the Sigma rules activated in the Action.
Positive port - Events matched against at least one of the Action's Sigma rules. The events will come out through this port bearing a new field (specified by the user) containing the full information about the match(es).
Negative port - Events that did not match against any of the Action's Sigma rules.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

To open the configuration, click the Action in the canvas and select Configuration.

Click Add rule to start configuring the required Sigma rules.

You'll see a list of all the available Sigma rules. Choose the one that you need to match your events against.

Configure the required rule fields and click Add Rule.

You'll see the rule in the Action configuration window. Activate it by switching on the toggle button next to it. Click Add rule if you need to add any other rules.

Finally, give a name to the field that will contain the detected threats.

Click Save to complete.

PreviousDetection NextEnrichment

Last updated 21 days ago

Was this helpful?