The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
The Windows Security - User Activity Sigma Rules content pack is a collection of Sigma rules, selected from SOC Prime's Threat Detection Marketplace. The rules in this content pack are focused on Windows security threats from end user actions. They are configured to work directly with existing Windows Illuminate content.
When you enable this content pack, these rules appear on the Sigma Rules page, Security > Sigma Rules. By default, new rules are disabled. You can select which rules to enable for your environment.
Requirements
- Graylog 6.0.0
- Graylog Security license to access Sigma rules
- Microsoft Windows Security content pack
Stream Configuration
This technology pack uses one stream:
- Illuminate:Windows Security Event Log Messages
What is Provided
This content pack includes 38 Sigma rules.
-
Critical threat level: 1 rule
-
High threat level: 26 rules
-
Medium threat level: 11 rules
Each rule includes remediation steps, which display if an alert is triggered based on the Sigma rule. See Apply Search Filters and Remediation Steps for details.
Configure Sigma Rules
When you enable this content, the new Sigma rules are added to the Sigma Rules page in Graylog. Follow the steps below to enable rules and configure alerts.
-
Enable your chosen Sigma rules on the Sigma Rules page (Security > Sigma Rules).
Hint: To find the Sigma rules added by this content pack, search for Illuminate. All the rules from this pack have titles that begin with Illuminate – Windows Security.To enable an inactive Sigma rule, click the toggle in the Enabled column.
Hint: Be sure to review the alerts before enabling them. Each rule can have a performance cost, depending on your network configuration. -
Update rules if necessary. Some rules can result in many false positives and should be adjusted. Click the rule title to open the edit window where you can review the rule definition and other options. However, note that not all options are editable—including the rule definition.
If you need to update the rule definition, first clone the rule (select Clone from the More menu). In the cloned rule, you can update any of the fields and options, including the rule definition.
See Sigma Rules for complete information about creating and working with Sigma rules.
-
Edit and update the event definition, if necessary. Each Sigma rule has a matching event definition, found on the Event Definitions tab of the Alerts page. For Sigma rules you enable, review the matching event definitions. You can add search filters or alerts as well as custom fields.
Hint: When you enable the Sigma rule, the event definition is enabled by default. You can disable the event and any defined alert on the Event Definition page without disabling the Sigma rule.See Manage Illuminate Events for more information.