HELK icon indicating copy to clipboard operation
HELK copied to clipboard

Published 20 hours ago verified publisher icon Cyb3rWard0g

sigma rules on HELK

Open nugnugrawk opened this issue 5 years ago • 8 comments

how to implementation and activation sigma rules on HELK ? can you give me tutorials about implementation sigma rules on HELK ? thank you

nugnugrawk avatar Oct 12 '20 08:10 nugnugrawk

Hey @nugnugrawk ! We are currently working on updating helk-elastalert to handle sigma rules for HELK.

Cyb3rWard0g avatar Nov 18 '20 05:11 Cyb3rWard0g

Does this mean that currently the Sigma rule can't be used on the helk?

nugnugrawk avatar Nov 18 '20 05:11 nugnugrawk

Hey @nugnugrawk ! Sigma can be used directly in the Kibana interface if you translate the sigma rule to the right syntax. We use helk-elastalert to automate the execution of the query.

Cyb3rWard0g avatar Nov 18 '20 06:11 Cyb3rWard0g

You can use https://uncoder.io/ to do the translation

image

Cyb3rWard0g avatar Nov 18 '20 06:11 Cyb3rWard0g

One issue with that of course is that the translation uses ECS standardization. Make sure you use the right field names with HELK

Cyb3rWard0g avatar Nov 18 '20 06:11 Cyb3rWard0g

You can use https://uncoder.io/ to do the translation

image

after translating the sigma rules to ECS like this, then how do you use them in HELK to appear on the elastalert_status?

nugnugrawk avatar Nov 18 '20 08:11 nugnugrawk

I see "after translating the sigma rules to ECS like this, then how do you use them in HELK to appear on the elastalert_status?" has not been answered. Can you recommend how to do this?

FrancescoFaenzi avatar Sep 27 '21 14:09 FrancescoFaenzi

@FrancescoFaenzi add your sigma rule to the rules folder, or within the docker container by getting into via sudo docker exec -ti helk-elastalert bash

neu5ron avatar Sep 28 '21 02:09 neu5ron