One of the most important aspects of threat hunting is having a place to start. A question, a theory, or a hunch often begins the hunt. Where you end up may not be where you first intended, but a good hunt will always reveal new information about your environment, your risks, and perhaps even a compromise. Theoretical exercises are a good way to hone in on particular data or threat vectors you want to hunt for, but pretty quickly you’ll need to get your hands into the data by writing some queries.
For the theoretical, the MITRE ATT&CK framework is a great approach to adversarial mapping, and we oriented the latest Corelight Threat Hunting Guide (THG) around the ATT&CK matrix. The guide is a fantastic tool to get familiar with how to hunt using Corelight’s Zeek data, the only things missing are some actual queries to demonstrate the techniques explained in the guide.
Well, Corelight just made that task a lot easier. We worked with SOC Prime to release 70 new threat hunting queries, written in Sigma rule format, which can be translated directly to the most popular SIEM query languages. Designed to be paired with the Corelight THG, these queries map directly to 16 unique MITRE ATT&CK TTPs across 10 categories and provide a way to turn queries into direct action, showcasing how to hunt with Corelight’s Zeek network data. Now you can search for exposed services, identify forced authentication, and find staging or exfiltration behavior just to name a few examples.
If you’re not familiar with Sigma, it’s an open-source project that provides a generic signature format for SIEMs. Write a query or rule once in Sigma and it can be easily translated into Splunk, Elastic, Humio, Azure Sentinel, and other SIEM query languages. We’re really excited about Sigma as a project, and though its early focus was on endpoint data, we added Zeek’s data mapping into Sigma last year. By releasing the new THG rules in Sigma format, we’re hoping to drive more interest and adoption in the network defender community to contribute to both these THG rules and to the Sigma project.
There are a number of great benefits to Sigma:
The Sigma format is open, both in terms of code and for improvements to the schema and data models. That openness helps support Corelight’s Open NDR strategy.
Rules can translate to multiple SIEMs – this is especially valuable if you’re writing the rules, since it can make it easy to cover multiple SIEMs and organizations with a single rule.
It also allows great portability, allowing you to move detections between two different SIEM products as you migrate, or just exploring alternatives to your production environment.
Sounds great, how do I get these threat hunting rules?
First, you’ll want to make sure you’ve got Corelight or Zeek data in your SIEM. If you haven’t gotten that far yet, not to worry. There are several easy ways to get Corelight up and running, including our awesome Corelight@Home program, or by contacting our sales team.
Once you’ve got Corelight data and you’re ready to hunt, the best place to get the rules is to create a free account on SOC Prime’s TDM:
5. Once you’ve found some rules you like, you can translate them directly on TDM into queries for your SIEM, or use some of the other tools (like uncoder.io, sigmac, or others) to translate the queries:
We’re very excited to release these rules and we hope there will be even more new rules added in the coming months. We’re also hoping to hear from you as you use them, and we’re looking for improvements, bug fixes, and better ways to hunt! You can email us directly at email@example.com, or make suggestions within TDM.
Can I use Zeek with these new THG Sigma rules?
Yes, most of the rules are written using only Zeek specific fields and should work with minor modifications (you may need to adjust the index or log names). Some rules are specific to Corelight data and those will only apply to Corelight customers.
Do I need to buy anything to get the rules?
Nope! The rules are completely free from TDM, or if you don’t feel comfortable signing up for a TDM account, just send email us at firstname.lastname@example.org and we’ll provide the rules to you. We’re also working on a download link to have them available on our website shortly.
Do I need to install any software to use the rules?
If you already have Corelight or Zeek data in your environment and have a SIEM to query it with, then no. You can use the tools on TDM to translate the Sigma queries into your SIEM query language and use them right away. There are some Sigma translator tools (Sigmac, Sigma to MISP, etc.) that can also help do the translation directly.
What is the license for the rules?
The rules are licensed under Sigma’s license, which really just tries to ensure attribution is credited: