Comments (8)
@mavam Agreed. I don't want ro convert the pattern at all. I want to use the native Sigma backend. Since both of these projects are python there is no reason we can't just load the backend and use it for the translation phase. We then execute the other 4 phases using the existing code modules and get STIX out the other side.
Sigma correlations is still a bit unproven to me, no one really uses it and content is extremely sparse in the community, I haven't seen many backends properly supporting it
from stix-shifter.
Hi Andras - I have been thinking about was we might be able to support Sigma in the project. In theory it could be an output format, but I am not sure what the query destination would be.
from stix-shifter.
The main problem with Sigma of course is as I stated in the README - it is SIEM / logs only. We're reaching beyond just SIEM.
from stix-shifter.
@iglocska If you or the MISP team have thoughts on how we could go about this, I would love your input, as supporting Sigma via some kind of method would be valuable. I am just unsure how to proceed.
Also let us know if there are other things in the project that MISP has input on WRT consumption. Feel free to either reach out or open Github issues. I have the idea to perhaps make a MISP expansion module to illustrate how it can be useful.
from stix-shifter.
I would like to see SIGMA be an option for query. Specifically the "detection" section. Response part can remain in STIX since SIGMA doesn't handle it. Best of both worlds.
from stix-shifter.
from stix-shifter.
We're currently working on this in VAST. Our goal is to accept Sigma and STIX Patterns transparently by compiling either representation into a canonical query.
A direct translation of Sigma rules into STIX patterns might be feasible, but not the other way around, e.g., due to the FOLLOWED BY
and WITHIN
operator. I've noticed how SEKOIA.IO shifted away from STIX patterns and now implements Sigma correlations. Sigma without correlations can be expressed by STIX patterns, but Sigma with correlations not.
Bottom line: it's probably not going to be effective to attempt a conversion between the two. We're facing the usual problem in infosec land: lack of standardization.
from stix-shifter.
I don't want ro convert the pattern at all. I want to use the native Sigma backend. Since both of these projects are python there is no reason we can't just load the backend and use it for the translation phase. We then execute the other 4 phases using the existing code modules and get STIX out the other side.
That approach makes sense to me. With a multi-backend strategy, as it is inherently with STIX-Shifter, using the native Sigma library for translation makes the most sense. You have the rest already.
Sigma correlations is still a bit unproven to me, no one really uses it
Yeah, it's too early to bank on it. But this enhancement also deprecated some aggregation functionality that used to exist within "legacy Sigma." So as of today, the utility of Sigma without correlations is there from a point of standardization, but not from a point of expressiveness.
That's more an issue with Sigma than with STIX-Shifter, though. 🙂
from stix-shifter.
Related Issues (20)
- `elastic-ecs` mapping: create a `geo` SCO and make references from objects with geo attributes HOT 2
- elastic-ecs mapping: consolidate `dll` attributes into `file` SCO
- Correct network-traffic mapping for elasticsearch
- Some connectors are using the cybox:false flag in the to-STIX mapping incorrectly HOT 3
- Infoblox connector should handle wrong host error.
- v5 RestApiClientAsync much slower than v4 RestApiClient and cause connect_timeout HOT 4
- elastic_ecs from mapping has bogus email-addr mapping
- Connector produces empty string and list in json to stix translation
- Elastic-ecs mapping - Email Object HOT 5
- uuid==1.30 in requirements.txt causes syntax errors
- Validation of domain-name:value is extremely slow for certain invalid data HOT 2
- deprecated library on textio
- antlr4 version deprecation
- CrowdStrike connector error failing with a 400 code unless the search returns no records HOT 6
- CLI option stix_2.1 not interpreted HOT 2
- case insensitive support for regex in elastic_ecs
- Increase timeout values in Rest Client HOT 2
- Fix code scanning alert - Flask app is run in debug mode
- Fix code scanning alert - Inefficient regular expression
- case-insensitive bug for items in brackets for elastic_ecs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stix-shifter.