SIGMA-detection-rules VS EVTX-to-MITRE-Attack

I am currently employed as a cyber analyst, and we've recently implemented an Endpoint Detection and Response (EDR) system. Upon closer inspection, I've observed that numerous events are not being flagged as alerts. This raises a crucial question: should I take the initiative to create custom rules to ensure these events are brought to our attention, or should I rely solely on the EDR's intrinsic capabilities to detect and classify threats? As a potential solution, I'm contemplating the implementation of rules based on Sigma, such as those available at the following repository: here. Your insights and experiences on the effectiveness of this approach would be greatly appreciated. Thank you for your time and assistance.

Depending on whether this is up your alley either look for a MSSP/MDR/Managed BlaBla provider or head on to - https://github.com/splunk/security_content - https://www.elastic.co/guide/en/security/current/prebuilt-rules.html - https://github.com/mdecrevoisier/SIGMA-detection-rules - https://github.com/Azure/Azure-Sentinel to get an idea of what to look for. MITRE ATT&CK and the related DETT&CT should serve as an additional eye opener. Ah yes - forgot the bible on log management from Anton Chuvakin in the above list.

Direct GitHub link bc ads. Like I commented last time I saw this project, I think it's a good starting point, but an important note: These mappings are 1:1. You should not limit your correlations to 1:1, but rather one ATT&CK term to many event IDs. Each technique can often be mapped to many, many different event IDs. And analysis / alerting on these events needs to be context aware, looking at other events before and after. When we approached this problem (mapping ATT&CK to detection logic) we realized there was almost never a scenario where event IDs could map 1:1 with the ATT&CK Matrix.

Source Github Link no ads.