Zeek & Sigma: Fully Compatible for Cross-SIEM Detections

By Alex Kirk, Corelight Global Principal for Suricata

Corelight recently teamed up with SOC Prime, creators of advanced cyber analytics platforms, to add support for the entire Zeek data set into Sigma, the only generic signature language that enables cross-SIEM detections from a single toolset. Generally available as of last month, this addition is compatible with the entire existing Sigma signature base for network detections, enabling a large number of existing detections immediately. 

For those unfamiliar with the Sigma project, it is self-described as a “universal format for searching logs and data. Just as Snort rules are for network traffic and YARA is for files, Sigma is to databases and SIEMs.” Created in 2017, Sigma has steadily picked up steam, with integration and usage points ranging from Microsoft Azure and Joe Sandbox to SANS and MISP

“People have been doing detection in their SIEMs for years now, but the number of third-party signatures that they could use has always been limited by whether people have written something for their specific SIEM technology,” said Nate Guagenti, a core rule and backend contributor to the Sigma project. “Sigma is all about bridging that gap, and letting people focus on detecting bad stuff instead of worrying about query syntax.”  

Since Corelight’s user base sends  data into a variety of different SIEM technologies, Sigma is a natural fit for us. While we strive to make our content as cross-SIEM compatible as possible, the complexity of translating detection content using Corelight and/or other data sources across a dozen or more SIEMs is considerable, and can dramatically slow the process of getting detection insight into our users’ hands. Allowing Sigma to do much of that work for us should dramatically improve time-to-market – a critical factor in defeating adversaries on the network – as we bring more detection to our user base.

Of course, Sigma rules are just one of multiple new detection capabilities Corelight is focusing on. We announced earlier this month the inclusion of the well-respected Suricata IDS in our platform, directly integrated with our existing Zeek data for extremely rapid and highly automatable event resolution. We’ve also begun pouring resources into durable, protocol-level detections in Zeek scripts, with our Encrypted Traffic Collection, and work already in progress on more great content for our next release. 

Releasing detection content that works from multiple angles goes to a central reality of the modern SOC: no two setups are the same, with different toolsets, workflows, coverage gaps, and even different types of adversaries to fight off. By giving defenders multiple places and methods to do detections, we help them increase the chances that they’ll find attackers on their network early on, before real damage can be done.

Going forward, users can expect to see contributions from Corelight to the existing Sigma signature base, including through the SOC Prime Threat Detection Marketplace, a commercially supported community for Sigma signatures. Since contributions from the community are the lifeblood of open source, we would encourage others in the space to consider contributing to this worthy project as well. In the meantime, happy hunting to all the network defenders out there!

*** This is a Security Bloggers Network syndicated blog from Bright Ideas Blog authored by Alex Kirk. Read the original post at: