The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

The Windows Sigma Rules content pack is a collection of Sigma rules selected from TruKno's Threat Detection Marketplace. The rules in this content pack are focused on Windows security threats. They are configured to work directly with existing Windows Illuminate content like Windows, Windows Security, Sysmon and PowerShell.

When you enable this content pack, these rules appear on the Sigma Rules page in the Security interface. By default, new rules are disabled. You can select which rules to enable for your environment.

Hint: Be sure to review the alerts before enabling them. Each rule can have a performance cost depending on your network configuration.

For best performance and to ensure accurate detection, you should enable one of the following packs in addition to this Threat Campaign ruleset:

• Microsoft Windows Security

• Microsoft Sysmon

• Microsoft PowerShell

Warning: As the threat landscape evolves, certain rules may become obsolete, redundant, or less effective, necessitating their removal or revision. As such, the Sigma rules provided are subject to change and may be updated, modified, or removed in future updates. Users should regularly review and validate the latest versions to ensure they align with current security needs and best practices. 

Requirements

• Graylog 6.1+
• Graylog Security license
• Windows, Windows Security, Sysmon, and/or Powershell Content Pack

Stream Configuration

This technology pack uses the stream category:

• "windows_logs"

What is Provided

This content pack includes 77 Sigma rules.

• Critical threat level: 0 rule

• High threat level: 58 rules

• Medium threat level: 16 rules

• Low threat level: 3 rules

Each rule includes remediation steps, which display if an alert is triggered based on the Sigma rule. See Apply Search Filters and Remediation Steps for details.

Configure Sigma Rules

When you enable this content, the new Sigma rules are added to the Sigma Rules page in Graylog. Follow the steps below to enable rules and configure alerts.

1. Enable your chosen Sigma rules on the Sigma Rules page (Security > Sigma Rules).

   Hint: To find the Sigma rules added by this content pack, search for Illuminate. All the rules from this pack have titles that begin with Illuminate – Windows-TuKno.

   To enable an inactive Sigma rule, click the toggle in the Enabled column.

   Hint: Be sure to review the alerts before enabling them. Each rule can have a performance cost, depending on your network configuration.

2. Update rules if necessary. Some rules can result in many false positives and should be adjusted. Click the rule title to open the edit window where you can review the rule definition and other options. However, note that not all options are editable—including the rule definition.

   If you need to update the rule definition, first clone the rule (select Clone from the More menu). In the cloned rule, you can update any of the fields and options, including the rule definition.

   See Sigma Rules for complete information about creating and working with Sigma rules.

3. Edit and update the event definition, if necessary. Each Sigma rule has a matching event definition, found on the Event Definitions tab of the Alerts page. For Sigma rules you enable, review the matching event definitions. You can add search filters or alerts as well as custom fields.

   Hint: When you enable the Sigma rule, the event definition is enabled by default. You can disable the event and any defined alert on the Event Definition page without disabling the Sigma rule.

   See Manage Illuminate Events for more information.