On the right, you can see a simple six-sigma rule that checks the "System" event log and the clues in the password dump activity. The detection part contains 1+ identifiers (selection, keyword, quarkspwdump), which can be freely defined by the rule author. Use these selectors to build rules under conditional conditions.
It also contains descriptions, references, possible false positives and ratings.
Analysts use Sigma to generate search queries for their SIEM or log management solutions. Sigma repo includes a converter, which allows the conversion of common rules, such as elastic search, splunk, qradar, logpoint, Windows Defender ATP (WDA TP) and ArcSight.
SPARK 1. 14, which will be released at the end of July, has done this. It applies the horse-fit rule to the local event log. In this way, you can apply the search once defined for SIEM to the local event log.
In this way, you can "query" stand-alone systems that are not connected to SIEM and find other common blind spots in the environment.
We provide the current rule set, which is a part of the public smart library, including more than 200 rules and our encrypted SPARK package. (* .yms)
You can add your own horse-fit rules to ". /custom-signatures/sigma/ "folder in the SPARK project directory.
To activate sigma scanning, please use the new "-sigma" parameter.
At present, only SPARK supports this function, and there is no plan to implement it in THOR.
This function is free for all users at present, but it may become a charging function. According to the user's plan, it must be authorized separately by the end of this year.
For a complete overview of all features, please refer to the comparison table.