The first challenge is to understand and develop the function list of attack technology. This is usually a time-consuming task, because the attack must be replicated in a laboratory environment, and the log records specific to the attack must be identified in the log background noise. Some people in the threat intelligence community may like this signature, but its format is not compatible with the organization's SIEM. It is an error-prone task to convert queries with different query languages and different field names.
Another challenge is that many organizations store logs in different repositories. This may be due to mergers and acquisitions or an organization's strategy. It may also be due to technical reasons or simple licensing reasons, that is, only some logs are ingested into SIEM, and the rest enter the so-called data lake. Different log repositories mean that log signatures need to be written in different query languages.
Sigma is an open source project that tries to solve these challenges. It consists of three parts:
(1) The language specification of the universal Sigma rule format.
(2) Knowledge base containing more than 1000 attack technical rules.
(3) A tool to convert the suitable horse rules into various query formats.
It is all open source and can be found in the SigmaHQ GitHub organization. You can clone it locally using the following command line:
Git clone /SigmaHQ/pySigma.git
Let's take CVE's Horse Fit Rule -2020-0688 as an example (Figure 2). This is a recent Exchange server vulnerability, and threats will actively use it to gain a foothold in organizations hosting vulnerable Exchange instances. In different blog posts, the detection of attack attempts is described, which is the basis of the horse-fitting rule:
There are five parts to this rule:
1. metadata, including title, unique identifier and some further information, which allows analysts to put detection rules in context.
2. Log source definition, which binds the signature to the log, in this case, the web server log.
3. The detection rule itself is defined in the definition, which associates the log event field with a value specific to the attack attempt.
4. These tests are associated with a condition.
5. Finally, the rules contain some additional information, such as interesting event attributes, including events matched by the rules, known false positives, severity levels and Mittreat &; Link to CK tactics and techniques.
Figure 3 shows another suitable rule for another Exchange Server vulnerability CVE-202 1-26857.
The elements that make up the fitness rule are the same as the first example, but the detection logic is completely different. This rule describes a process creation event (1) triggered by Sysmon or many endpoint detection and response (EDR) products. The Unified Messaging worker process of Exchange server usually does not generate a process, except in the case of crash, which is defined in the detection rule and its condition (2).
Next, the sigma rules are transformed into the target query language by using sigma transformation tool. This tool can install pip:
Pip installation sigmatools
Or in the virtual Python environment, all the dependencies can be used from the cloned Sigma library with Pipenv:
Pipe shell
We assume that the result query should be used in SIEM based on elasticsearch, which uses ECS field naming scheme. This can be done by running the following command from the root directory of Sigma clone:
Tools /sigmac -t es-qs -c ecs-proxy? rules/web/web _ CVE _ 2020 _ 0688 _ ms exchange . yml
Parameter -t selects the back end of Sigma converter, which is responsible for converting rules into target query language. Back-end es-qs is converted into Elasticsearch query string, which can be pasted into Kibana. Parameter -c selects a configuration. Configure ECS -proxy to be provided with Sigma converter, and implement ECS naming scheme for proxy logs. The resulting query will be:
(http.request.method:"GET "and URL.original.keyword: (* \/ECP \/* or *\/owa\/*) and URL.original.keyword: * _ _ ViewState \ = *).
Now let's change the second rule. This time, we need some additional configuration to map the general log source process_creation to a specific log source. Suppose we are in an environment where Elasticsearch is used as SIEM and Sysmon is used as log source to create generated events for processes on endpoints. The conversion command is as follows:
tools/sigmac-t es-QS-c sysmon-c winlogbeat rules/windows/process _ creation/sysmon _ CVE _ 202 1 _ 26857 _ ms exchange . yml
The command line provides two configurations. Configure sysmon to correspond to a specific log source and event identifier. Winlogbeat maps the field names in the fitness rules to the ECS scheme used by winlogbeat. The result query is:
((winlog.event_id:" 1 "and winlog.channel:" Microsoft \-Windows \-sysmon \/operational ") and winlog.event_data. Parentimage.keyword: * umworkerprocess.exe and (NOT (winlog.event_data. Image.keyword:(*wermgr.exe or *WerFault.exe)))
In an environment where Windows audit logging is used, only a few command line parameters can be changed to convert the same rules of Splunk SIEM:
Tools/sigmac-tsplunk-cwindows-audit-csplunk-windows rules/windows/process _ creation/sysmon _ CVE _ 2021_ 26857 _ msexchange.yml
This leads to the following Splunk query:
((Event code = "4688" source = "WinEventlog: security") ParentProcessName = "* umworkmerprocess.exe" Not ((NewProcessName = "* wermgr.exe" or NewProcessName="*WerFault.exe ")))
Because the Sigma project is open source, it depends on contributions. The project is hosted on GitHub. You can provide new rules through the web interface by navigating to the target directory and adding new files:
SigmWiki contains a rule creation guide and a template that can be used to create new rules. Don't hesitate-before merging pull requests, you will check the rules, fix problems or make suggestions.
Feedback is also valuable, for example, if the detection rules lead to false positives under certain conditions, then feedback can open a question; Alternatively, if it has been actively used as a detection and can be confirmed as useful, a small pull request can change the state of the rule from the experimental state to the stable state. At present, most of the rules are still in the experimental stage, and there is still much room for improvement.
Another area where you can contribute is transformation tools. At present, a complete rewrite has been developed in pySigma library. In addition, the new CLI is under development, but has not yet been released. In the future, the backstage will be maintained as an independent project. Many backstage of Sigma converters need to be transplanted to psigma, or some backstage that are no longer maintained at present need to be maintained by someone.