Threat Hunting and Response Using Sigma

Why does Securonix support Sigma formats?

Cybersecurity professionals must navigate an ever-changing landscape of threats that no individual security engineer or organization can handle alone. To succeed, security professionals must work together to identify and resolve threats as a community and agree on common languages to effectively communicate with each other.

Securonix is committed to supporting open data formats in our products. We understand how important sharing information is within the security community. Sigma is an open format we support in order to aid our customers in sharing indicators of compromise (IOC) and standard log formats. Our Sigma integrations affirm our commitment to being an open platform, as well as providing the resources necessary for customers to convert these rules in Sigma formats to our SearchMore capabilities.

A Brief Introduction to Sigma

Sigma provides a standard format for log events and creates a standard format for file threat IOCs. Sigma provides a common language for SIEM platforms and malware researchers to communicate. A Sigma rule is a YAML file with standardized sections and structured fields that all vendors utilize. These Sigma rules are then translated by the SIEM into the distinct SIEM language, with the most important part being the detection section which identifies the logic of the rule.

Below is an example of a Sigma rule that looks at the use case WHOAMI Privilege Escalation:

action: global

title: Whoami Execution

status: experimental

description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators

references:

– https://twitter.com/haroonmeer/status/939099379834658817

– https://twitter.com/c_APT_ure/status/939475433711722497

author: Florian Roth

date: 2018/05/22

tags:

– attack.discovery

– attack.t1033

detection:

condition: selection

falsepositives:

– Admin activity

– Scripts and administrative tools used in the monitored environment

level: high

logsource:

product: windows

service: sysmon

detection:

selection:

EventID: 1

CommandLine: whoami

logsource:

product: windows

service: security

definition: ‘Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation’

detection:

selection:

EventID: 4688

NewProcessName: ‘*\whoami.exe’

How does Securonix leverage Sigma to bolster security teams’ efforts?

Securonix translates Sigma rules into regex patterns that are run against live, raw data. The output is then ingested into Securonix to be used for correlation and alerting to aid security teams.

Below are the regex patterns from the same WHOAMI use case above:

grep -P ‘^(?:.*(?=.*1)(?=.*whoami))’

grep -P ‘^(?:.*(?=.*4688)(?=.*.*\whoami\.exe))’

 

For more information on the Securonix Next-Gen SIEM solution, request a demo today.