Technology cybersecurity Software Development
Trevor Miller
Trevor Miller

@Cyb3r_Detect0r

6 Tweets 9 reads Jan 06, 2023
Twitter
My team recently converted our entire detection library to #SIGMA and created a wiki around it!
We are an MSSP & platform agnostic, meaning we have a version of a rule for pretty much every SIEM & EDR platform there is, and...
๐Ÿงต1/3
Img: @fr0gger_
My team recently converted our entire detection library to #SIGMA and created a wiki around it! We...
keeping all versions of rules in separate git repos was confusing to the SOC and made finding info about a detection hard.
Now we have a one repo in a single language, with a wiki containing rule info like goal, investigation tips, prebuilt queries, references, FPs, etc.
๐Ÿงต2/3
We are still solutioning how we are going to track translation and deployment to each platform and client. @NotionHQ seems to be the frontrunner for that endeavor.
๐Ÿงต3/3
@reg_reginald_ even with the progress we made after doing testing discovered that most rules would still need to be translated by hand because sigmac is not reliable. We are going to reassess when pysigma becomes more prominent. 2/2
@reg0bs @fr0gger_ ...helps me learn the product. By the time we have translated all of the rules, I have practically read all the documentation twice with enough hands-on to lock in what I learned.
2/3
@reg0bs @fr0gger_ My team chose not to have each person specialize in a specific platform and instead be a leader for specific clients, allowing us to focus and truly understand an environment and develop closer relationships with client security teams.
3/3

Categories

Technology cybersecurity Software Development

Some tweets missing

Loading suggestions...