Now to set where to search.

If you missed last weeks post, take a look at some of the metadata fields used in Sigma rules.

The logsource section of a Sigma rule describes the log data on which the detection is meant to be applied to.

The schema of the logsource field in the Sigma YAML is as follows:

logsource:
   category [optional]
   product [optional]
   service [optional]
   definition [optional]

SIEM Rules Sigma logsource

The definition of the logsource can be used to describe the logsource, including some information on the log verbosity level or configurations that have to be applied.

To help be more specific about the logsource, the logsource can use one or more of the following three attributes.

  • category:
    • used to select all log files written by a certain group of products, like firewalls or web server logs.
    • e.g. firewall, web, antivirus
  • product:
    • used to select all log outputs of a certain product, e.g. all Windows Eventlog types including “Security”, “System”, “Application” and the new log types like “AppLocker” and “Windows Defender”.
    • e.g. windows, apache, check point fw1
  • service:
    • used to select only a subset of a product’s logs, like the “sshd” on Linux or the “Security” Eventlog on Windows systems.
    • e.g. sshd, applocker

Let’s look at an example:

logsource:
  product: windows
  service: powershell
  definition: Standard Windows logging

Instead of referring to particular services, generic log sources may be also used, e.g.:

logsource:
  product: windows
  category: process_creation
  definition: Standard Windows logging

The logsource field is used by convertors to ensure the right logs are targeted in a search, thus making the search more efficient (because it’s not searching the entirety of all your log files).

Now it’s time to write the detection content for the conversion… but I’ll leave that until next week.




Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.


Obstracts

Obstracts

Turn any blog into structured threat intelligence.

Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.