Today I wanted to do a quick blog post on how to use the tool Sigma to create Elastalert rules, for alerting purposes for your Elastic Stack instance.
Sigma
So, first things first, what is Sigma? According to the official Github site, “Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.” So basically you can write one detection for say looking for WMI Event Subscriptions put it in a yml file and now it can be converted to Kibana, Splunk or Elastalert. It prevents vendor lock in.
“Sigma is for log files what Snort is for network traffic and YARA is for files.”
Elastalert
Now what is Elastalert? According to the official Github site, “ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.”
Installation and Rule Making
- Install using pip
- sudo pip3 install sigmatools
- Clone repository with git
- git clone https://github.com/Neo23x0/sigma.git
- cd into sigma directory and create your first Elastalert rule with their built-in Windows rules
- cd sigma/
- sudo sigmac -t elastalert -c winlogbeat rules/windows/sysmon/sysmon_wmi_susp_scripting.yml > elastalert_sysmon_wmi_susp_scripting.ym
- Here is what your rule will look like.
So that concludes this post, thank you for reading and until next time…
Happy Hunting,
Marcus
References:
Marcus Edmondson | Offensive Security | Information Security 