<— Back

Streamlining Threat Detections by Operationalizing Sigma into SIEM / MITRE CAR Detections Automatically

Streamlining Community Sourced Threat Detections by Operationalizing Sigma into SIEM Detections Automatically Submission Orientation: Defensive Security Live Demos: Yes. We would like to demonstrate how our tool can automatically convert sigma detections into SIEM queries. In this demonstration, we would like to take a sigma file which we have pre-emptively created and convert it into an SIEM query via our tool. We would then like to take the SIEM query generated and run it on the target SIEM to check for matches. We would also like to showcase the AWS Lambda implementation of the above tool, which allows one to run the tool as an API endpoint, allowing seamless integrations with other security technology verticals such as SOAR etc.

While there are different SIEMs being used by different organizations, knowledge transfer has become difficult for organizations sharing detections for the same type of attacks. To solve this, sigma was introduced which allowed one to share the detection without having to bind it to a query language. But SIEMs today are not able to readily ingest Sigma detections as search queries but rather require a custom search query Eg: Lucene, Splunk search processing language, Devo LINQ etc. In this talk, we show our research where we have been able to engineer a tool to convert Sigma queries to SIEMs and a methodology to streamline detections across community sourced detections into actionable SIEM queries