sigma
Main Sigma Rule Repository (by Neo23x0)
detection-rules
Rules for Elastic Security's detection engine (by elastic)
Our great sponsors
sigma | detection-rules | |
---|---|---|
41 | 7 | |
7,624 | 1,774 | |
3.4% | 1.9% | |
9.8 | 9.7 | |
1 day ago | about 22 hours ago | |
Python | Python | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sigma
Posts with mentions or reviews of sigma.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2023-07-05.
-
Sigma rules in real life
Sigma rules https://github.com/SigmaHQ/sigma its value, I get it. Here’s a post https://www.linkedin.com/posts/nasreddinebencherchali_detection-blueteam-sigma-activity-7104868070069817344-mn91?utm_source=share&utm_medium=member_desktop detailing that 31 Sigma rules from the Sigma repository are triggering on different stages of the attack as described here https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
-
Looking for feedback on a security-related project idea
Idea: A free and open-source web repository of Sigma detections where users can find, contribute, and suggest edits to detections. All user contributions will go through a StackExchange-style moderation queue. Built-in conversion from Sigma to the query language of your choice.
-
SOC SIEM Use Cases for First Internship
If you want more ideas/inspiration, or even just a starting point for baseline rule logic check out https://github.com/SigmaHQ/sigma https://github.com/SigmaHQ/sigma and look into the different rules folders there.
-
How do you actually threat hunt?
Agreed in general. But with stuff like SIGMA, I'd lean towards stuff should going into git. Better version control, your docs can be markdown and live right next to your threat library, you can strap on CI/CD (so you can deploy/run stuff as part of a pipeline). Confluence is a great start, but it doesn't scale well.
- Open Source SIEM Tools
-
Detection Engineering Source Websites
Have a look a sigma rules: https://github.com/SigmaHQ/sigma
- Scheduling query to look for whenever net group is ran.
- Scheduling querying that looks for anytime net group is ran.
-
3CX Customers suffering intrusions
Sigma: https://github.com/SigmaHQ/sigma/pull/4151/files Yara: https://github.com/Neo23x0/signature-base/blob/master/yara/gen\_mal\_3cx\_compromise\_mar23.yar source: https://twitter.com/cyb3rops/status/1641130326830333984?s=20
-
Any Suggestions On Creating A Detection Rule In Defender For CVE-2023-23397
I created a Defender Advanced Hunting query based of the Sigma rule https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml
detection-rules
Posts with mentions or reviews of detection-rules.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-04-27.
- KrbRelayUp detection [Sigma] - Service Creation via Local Kerberos Authentication
-
Hunt and Detect KrbRelayUp
Elastic rule: https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_kerberoasting_unusual_process.toml
-
Windows Security Logs
With regards to alerts, Elastic Security includes a ton of Windows focused detection rules, along with the ability to create custom rules for Windows Events (or any other source).
-
SIEM Test Cases
SIGMA SOCPrime Sigma Sigma Translator Elastic Rules Splunk Rules ThreatHunter Playbook iRedTeam Lolbas Atomic Red Team
- Identifies suspicious renamed COMSVCS.DLL Image Load, this DLL exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command line based detection in preparation for credential access.
-
I have an interview coming up this week for a IR/CSIRT role. Any tips on what to go over?
Go look at the new [Elastic Detection rules](https://github.com/elastic/detection-rules), find ways to talk about them. May favorite recent one is https://github.com/elastic/detection-rules/issues/1535
- Tool per riconoscimento di attacchi tramite log di server web
What are some alternatives?
When comparing sigma and detection-rules you can also consider the following projects:
Wazuh - Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
atomic-red-team - Small and highly portable detection tests based on MITRE's ATT&CK.
sysmon-config - Sysmon configuration file template with default high-quality event tracing
KrbRelayUp - KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
security_content - Splunk Security Content
wazuh-ruleset - Wazuh - Ruleset
velociraptor - Digging Deeper....
OpenSIEM-Logstash-Parsing - SIEM Logstash parsing for more than hundred technologies
PrintNightmare
CVE-2021-1675 - CVE-2021-1675 Detection Info
HELK - The Hunting ELK
sigma vs Wazuh
detection-rules vs atomic-red-team
sigma vs sysmon-config
detection-rules vs KrbRelayUp
sigma vs atomic-red-team
detection-rules vs security_content
sigma vs wazuh-ruleset
sigma vs velociraptor
sigma vs OpenSIEM-Logstash-Parsing
sigma vs PrintNightmare
sigma vs CVE-2021-1675
sigma vs HELK