Sigma Unleashed: A Realistic Implementation

By CERT-EU , on

On the occasion of the 36th annual FIRST conference, we are excited to announce the release of droid, a tool designed to enhance management of detection rules by taking advantage of Sigma.

Have you ever wanted to implement Sigma in production for your threat detection activity? Well, look no further. droid might be what you've been waiting for to make it seamless and efficient.

At CERT-EU, we serve the European Union institutions, bodies, offices and agencies (Union entities), and strive to deliver the best possible services to them. Managing our multi-SIEM/EDR environment presents significant challenges, which is why we are using Sigma. Its generic approach makes it vendor-agnostic for the detection logic.

Despite its active and robust open-source community and wide range of features, implementing Sigma can be difficult, especially for Managed Security Service Providers (MSSPs). As an inter-institutional service provider, we faced these challenges head-on, recognising the need for a more streamlined and efficient approach to managing our detection content.

Rock, Robot Rock

We created droid, a PySigma wrapper that we specifically built to ease Sigma's use in production. droid enables us to:

  • Validate the syntax of Sigma rules
  • Convert them by applying a set of transforms per log source and platform
  • Search in logs and report on findings
  • Test the rules by leveraging Atomic Red Teamâ„¢
  • Deploy them with any compatible SIEM and EDR (.e.g. Splunk, Microsoft Sentinel)

As for the operations, the tool works with a single TOML configuration file to deploy the detection rules with the appropriate configuration per platform.

droid also has the ability to handle plain SIEM search syntax.

Enabling Detection-As-Code

While droid can be used ad hoc via the command-line interface, it is also designed to be integrated seamlessly into a CI/CD pipeline using a git source code repository host (.e.g. GitLab, GitHub).

droid workflow

Our workflow involves validating, testing and deploying the Sigma rules from our internal repository. This ensures that our detection rules are always versioned. Additionally, it facilitates collaboration and allows us to deploy our detection content with minimal effort.

Fostering Collective Progress

At CERT-EU, we believe in fostering a culture of collective progress. To contribute to the ongoing efforts of improving detection capabilities, we are releasing droid to the public as a free software under the EUPL license.

You will find all the resources you need to get started with the tool on the documentation page, including installation guides, usage instructions, and best practices.

We invite you to take a look, try it out, and leave feedback. Insights and contributions from the community are invaluable in helping us improve the tool.

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.