Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add correlation (or similar) related type #136

Open
kelnage opened this issue Jul 31, 2024 · 1 comment
Open

Add correlation (or similar) related type #136

kelnage opened this issue Jul 31, 2024 · 1 comment
Assignees
@nasbench
Labels
documentation Improvements or additions to documentation enhancement New feature or request v2.1.0
Milestone
Version 2.1.0

Comments

@kelnage
Copy link

kelnage commented Jul 31, 2024
edited
Loading

When creating a Sigma rule that is intended to be largely (but not always) used with a correlation rule or could be used with multiple different correlation rules, there does not seem to be a good way of indicating that in the Sigma rule metadata itself.

The related field allows us to associate Sigma rules together, but the types available do not seem (to me) to align with the above desired use-case - my suggestion is to introduce a type: correlation or type: recommended_correlation to the standard to enable it.

A simple example usage might look like the following Sigma rule:

title: Detect Failed Logins
id: 20e9c90b-dd09-468c-896e-572a26bf7941
related:
    - id: 9582bf37-ea9a-43cf-aa5f-4145e0868d2e
      type: correlation
detection:
    ...

With the associated Sigma correlation rule:

type: Detect Multiple Failed Logins (5 Minutes, 10 Attempts)
id: 9582bf37-ea9a-43cf-aa5f-4145e0868d2e
correlation:
    ...
@nasbench
Copy link
Member

nasbench commented Aug 4, 2024

+1 for the type: correlation. I think it make sense and it'll encourage people to look at the related correlation rules.

@nasbench nasbench self-assigned this Aug 4, 2024
@nasbench nasbench added documentation Improvements or additions to documentation enhancement New feature or request labels Aug 4, 2024
This was referenced Aug 4, 2024
Merged
Open
@nasbench nasbench added this to the Version 2.1.0 milestone Aug 5, 2024
@nasbench nasbench added the v2.1.0 label Aug 6, 2024
@nasbench nasbench mentioned this issue Aug 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nasbench nasbench

Labels
documentation Improvements or additions to documentation enhancement New feature or request v2.1.0
Projects
None yet
Milestone
Version 2.1.0
Development

No branches or pull requests
2 participants
@kelnage @nasbench