WebsiteBlogLogin

Sigma Rules

Most recent version: v0.0.1

See the changelog of this Action type here.

Note that this Action is only available in certain Tenants. Get in touch with us if you don't see it and want to access it.

Overview

The Sigma Rules Action detects whether an event matches one or several Sigma rules. By evaluating Sigma rules inline on raw events, threats can be detected as logs are created.

This Action allows you to explicitly map these rule fields to the corresponding fields in your log schema.

In order to configure this Action, you must first link it to a Listener. Go to Building a Pipeline to learn how to link.

Ports

These are the input and output ports of this Action:

Input ports

  • Default port - All the events to be processed by this Action enter through this port.

Output ports

  • Default port - All the events processed by the Action without errors will exit through this output, regardless of the result of the evaluation against the Sigma rules activated in the Action.

  • Positive port - Events matched against at least one of the Action's Sigma rules. The events will come out through this port bearing a new field (specified by the user) containing the full information about the match(es).

  • Negative port - Events that did not match against any of the Action's Sigma rules.

  • Error port - Events are sent through this port if an error occurs while processing them.

Configuration

1

Find Sigma Rules in the Actions tab (under the Detection group) and drag it onto the canvas. Link it to the required Listener and Data sink.

2

To open the configuration, click the Action in the canvas and select Configuration.

3

Click Add rule to start configuring the required Sigma rules.

4

You'll see a list of all the available Sigma rules. Choose the one that you need to match your events against.

5

Configure the required rule fields and click Add Rule.

6

You'll see the rule in the Action configuration window. Activate it by switching on the toggle button next to it. Click Add rule if you need to add any other rules.

7

Finally, give a name to the field that will contain the detected threats.

8

Click Save to complete.

PreviousDetectionNextEnrichment

Last updated

Was this helpful?