{"id":16430,"date":"2023-03-24T13:51:57","date_gmt":"2023-03-24T12:51:57","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=16430"},"modified":"2024-12-17T12:44:21","modified_gmt":"2024-12-17T11:44:21","slug":"demystifying-sigma-log-sources","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2023\/03\/24\/demystifying-sigma-log-sources\/","title":{"rendered":"Demystifying SIGMA Log Sources"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.20.2″ _module_preset=”default” da_disable_devices=”off|off|off” global_colors_info=”{}” theme_builder_area=”post_content” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row column_structure=”1_2,1_2″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”1_2″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text admin_label=”Text” _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

One of the main goals of Sigma as a project and Sigma rules specifically has always been to reduce the gap that existed in the detection rules space. As maintainers of the Sigma rule repository we’re always striving for reducing that gap and making robust and actionable detections accessible and available to everyone for free.<\/p>\n

Today we’re introducing a new contribution to the Sigma project called log-source guides<\/strong>. The idea behind it is to provide specific guides on configuring a system’s audit policies so that the system actually creates the logs needed by the rules. An adequate audit policy is a crucial dependency often overlooked when deploying Sigma rules.<\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_2″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/03\/Screenshot-2023-03-24-at-13.55.58.png” title_text=”Screenshot 2023-03-24 at 13.55.58″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row admin_label=”SIGMA Logsource Section” _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_column type=”4_4″ _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”][et_pb_text _builder_version=”4.20.2″ _module_preset=”default” global_colors_info=”{}” theme_builder_area=”post_content”]<\/p>\n

SIGMA Log-Source<\/h2>\n

Before we delve deeper, Let’s take a step back and talk a bit about how the log-source<\/strong> attribute is used in Sigma rules.<\/p>\n

Every Sigma rule requires a section called log-source <\/strong>that indicates as the name suggests, the log source on which this detection will fire. A typical example would look like this:<\/p>\n

product: windows\ncategory: process_creation\n\n<\/pre>\n
The “product”<\/strong> indicates that this rules is targeting the “Windows”<\/strong> product and a specific category called “process_creation” <\/strong>is used to indicate that this rule is using “Process Creation”<\/strong> events. You can read the full explanation of every field in the specification<\/a><\/p>\n
To someone who isn’t familiar with Sigma or logging a couple of question will arise:<\/p>\n