{"id":1543,"date":"2017-07-06T01:33:45","date_gmt":"2017-07-06T01:33:45","guid":{"rendered":"https:\/\/www.bsk-consulting.de\/?p=1543"},"modified":"2022-10-04T18:11:47","modified_gmt":"2022-10-04T16:11:47","slug":"the-best-possible-monitoring-with-sigma-rules","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2017\/07\/06\/the-best-possible-monitoring-with-sigma-rules\/","title":{"rendered":"The Best Possible Monitoring with Sigma Rules"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on” da_disable_devices=”off|off|off”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.18.0″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]Some of you may already have heard of Sigma<\/a>, a generic approach for signatures used in SIEM<\/a> systems. Its main purpose is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
\nToday I would like to describe another use case that helps us build the best possible signatures for any application.
\nIn typical security monitoring projects, people integrate different log sources and threats\/use cases they want to monitor in these logs. The selection of the log sources is determined by importance, availability and operational requirements. The central question is:<\/p>\n

“What do I want to detect?”<\/p><\/blockquote>\n

There are several white papers and guides for the most common log sources like the Windows Eventlog. What you have to do is to read the documents, extract the interesting detection methods and define searches, panels and dashboards in your SIEM system. One of the main purposes of Sigma is to relieve you from this time consuming process. These public descriptions of detection methods are already part of Sigma or will be integrated by one of the contributors.
\nBut today I’d like to point out a different use case that is less obvious but very useful.<\/p>\n

The Best Possible Monitoring<\/h1>\n

Security analysts try to define useful searches and statistical analyses on the log data from all different log sources. They typically follow the public guides and create many different “failed logon” rules for all kinds of operating systems and applications.
\nBut what happens when start integrating log sources and types that are not covered by public guidelines?
\nThere are different approaches to this problem:<\/p>\n