Sigma rules explained: When and how to use them to log events

Read Time:1 Minute, 0 Second

A typical corporate network consists of hundreds or thousands of devices generating millions of lines of logs pouring in every minute. What can make it possible, then, for SOC and threat intel analysts to sift through all this flow of information efficiently and separate malicious activity from daily noise in an automated fashion?

This is where Sigma rules come in handy.

What are sigma rules?

Sigma rules are textual signatures written in YAML that make it possible to detect anomalies in your environment by monitoring log events that can be signs of suspicious activity and cyber threats. Developed by threat intel analysts Florian Roth and Thomas Patzke, Sigma is a generic signature format for use in SIEM systems. A prime advantage of using a standardized format like Sigma is that the rules are cross-platform and work across different security information and event management (SIEM) products. As such, defenders can use a “common language” to share detection rules with each other independent of their security arsenal. These Sigma rules can then be converted by SIEM products into their distinct, SIEM-specific language, while retaining the logic conveyed by the Sigma rule.

To read this article in full, please click here

Friday Squid Blogging: Cotton-and-Squid-Bone Sponge

Apps That Are Spying on Your Location

Cybercriminals Use Fake CrowdStrike Job Offers to Distribute Cryptominer

Slovakia Hit by Historic Cyber-Attack on Land Registry

Canadian man loses a cryptocurrency fortune to scammers – here’s how you can stop it happening to you

Medusind Breach Exposes Sensitive Patient Data

Fake PoC Exploit Targets Security Researchers with Infostealer

Smashing Security podcast #399: Honey in hot water, and reset your devices

Space Bears ransomware: what you need to know