Now to set where to search.
If you missed last weeks post, take a look at some of the metadata fields used in Sigma rules.
The logsource section of a Sigma rule describes the log data on which the detection is meant to be applied to.
The schema of the logsource field in the Sigma YAML is as follows:
logsource: category [optional] product [optional] service [optional] definition [optional]
definition of the
logsource can be used to describe the logsource, including some information on the log verbosity level or configurations that have to be applied.
To help be more specific about the logsource, the logsource can use one or more of the following three attributes.
- used to select all log files written by a certain group of products, like firewalls or web server logs.
- e.g. firewall, web, antivirus
- used to select all log outputs of a certain product, e.g. all Windows Eventlog types including “Security”, “System”, “Application” and the new log types like “AppLocker” and “Windows Defender”.
- e.g. windows, apache, check point fw1
- used to select only a subset of a product’s logs, like the “sshd” on Linux or the “Security” Eventlog on Windows systems.
- e.g. sshd, applocker
Let’s look at an example:
logsource: product: windows service: powershell definition: Standard Windows logging
Instead of referring to particular services, generic log sources may be also used, e.g.:
logsource: product: windows category: process_creation definition: Standard Windows logging
logsource field is used by convertors to ensure the right logs are targeted in a search, thus making the search more efficient (because it’s not searching the entirety of all your log files).
Now it’s time to write the detection content for the conversion… but I’ll leave that until next week.
Join the Signals Corps on Discord
Join our public community of intelligence analysts and researchers sharing new content hourly.
Turn any blog into structured threat intelligence.
Extract machine readable intelligence from unstructured data.
Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.
View, modify, and deploy SIEM rules for threat hunting.