ThreatConnect now supports Sigma Signatures! As a quick refresher, Sigma is a generic and open signature format for SIEM systems. It allows you to describe relevant log events straightforwardly. The rule format is very flexible, easy to write, and applicable to any log file type. This project’s primary purpose is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. Sigma means to be an open standard in which such detection mechanisms can be defined, shared, and collected to improve everyone’s detection capabilities.
We understand the need to standardize signature formats, now let’s explore a few ways that Sigma can get incorporated into your security org.
- Describe your detection method in Sigma to make it shareable within your organization and the wider community
- Write your SIEM searches in Sigma to avoid a vendor lock-in, down the road you may need to migrate SIEM’s and by converting to Sigma, you avoid a messy migration process
- Share the signature in the appendix of your analysis along with IOCs and YARA rules
- Share signatures with analysts from other organizations via the Common Community, this allows you to share Signatures even though you may not have the same exact technology stack
- Provide Sigma signatures for malicious behavior in your own application
ThreatConnect’s support for Sigma Signatures will help you to increase collaboration, prevent vendor lock-in, and overall, improve your detection capabilities. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team. If you’re not yet a customer and are interested in ThreatConnect and Sigma Signatures, contact us at firstname.lastname@example.org.