sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

How to use Sigma correlations

Open alexpwns opened this issue 3 years ago • 5 comments

I was reading through the wiki and noticed this line, "Aggregations in the condition are deprecated and will be replaced with Sigma correlations.", but can't seem to find any additional information on how to use Sigma correlations. Is there any additional info on Sigma correlations?

alexpwns avatar Jul 14 '21 23:07 alexpwns

https://onedrive.live.com/view.aspx?resid=3454E59DF98D7D65!7485&ithint=file%2cdocx&authkey=!ADb97TgRX9Fr4xQ

BALROG3 avatar Aug 04 '21 13:08 BALROG3

Any update on what is going on with Correlations? The provisional spec is approaching two years old... will it ever be mainline?

JasonKeirstead avatar Feb 08 '22 01:02 JasonKeirstead

Some already get value apparently : https://blog.sekoia.io/improving-threat-detection-with-sigma-correlations/

samgbell avatar Apr 28 '22 09:04 samgbell

Should this be closed? Correlations seems to not be marked provisional anymore

JasonKeirstead avatar May 17 '22 15:05 JasonKeirstead

so, did they get rid of the idea behind correlations? I haven't seen a working example still. Tried creating my own, similar to the blog article but I just get an error when sigma can't find a detection section in the rule. Then if I add one, a condition is needed and when I do that, I just get three distinct rules and no actual correlation.

ratfink417 avatar May 28 '22 00:05 ratfink417