From Sigma to Scale: Enhancing SIEM Detection Engineering in Cloud Environments
Background: It's no surprise that even security tools require maintenance, especially when scaling. Based on your chosen strategy, security detection engineers should review their environment every six months to identify gaps where logs from certain assets may have been missed. At the same time, it's essential to ensure seamless management of detections within the cloud while also maintaining the overall health of your SIEM.
Strategies for cloud to enhance your detection:
1. In the first strategy, you need to have a root layer, which you can obtain from your cloud provider. This could be a service account at the subscription level or any other out-of-the-box solution that helps you manage all your assets.
One layer down, you need a Sigma Collection responsible for transforming detection rules, particularly into a syntax compatible with your SIEM.
In the action layer, you need to retrieve information about your SIEM components. Then, after gathering all current detection rule names, correlate them with your Sigma Collection to identify any new rules. If a new rule is detected, it should be transformed into the appropriate SIEM syntax and deployed accordingly.
- In the second strategy, you need to have the same rule already decompiled from a Sigma rule into the correct syntax and stored in a platform such as a version control system. You should also have a method to deliver that detection rule to the appropriate destination.
Sigma Universal Language: Sigma was created as a universal language to support scalable environments with multiple SIEMs, as each SIEM type understands only its specific syntax. It uses rules based on a simple YAML format, making the work more convenient. For more information, refer to the documentation.
Conclusion: Sigma rules has very powerful potential, especially when combined with cloud components. They can make cybersecurity engineers' work more convenient.