CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Zeek & Sigma: Fully compatible for cross-SIEM detections

Corelight recently teamed up with SOC Prime, creators of advanced cyber analytics platforms, to add support for the entire Zeek data set into Sigma, the only generic signature language that enables cross-SIEM detections from a single toolset. Generally available as of last month, this addition is compatible with the entire existing Sigma signature base for network detections, enabling a large number of existing detections immediately. 

For those unfamiliar with the Sigma project, it is self-described as a “universal format for searching logs and data. Just as Snort rules are for network traffic and YARA is for files, Sigma is to databases and SIEMs.” Created in 2017, Sigma has steadily picked up steam, with integration and usage points ranging from Microsoft Azure and Joe Sandbox to SANS and MISP

“People have been doing detection in their SIEMs for years now, but the number of third-party signatures that they could use has always been limited by whether people have written something for their specific SIEM technology,” said Nate Guagenti, a core rule and backend contributor to the Sigma project. “Sigma is all about bridging that gap, and letting people focus on detecting bad stuff instead of worrying about query syntax.”  

Since Corelight’s user base sends  data into a variety of different SIEM technologies, Sigma is a natural fit for us. While we strive to make our content as cross-SIEM compatible as possible, the complexity of translating detection content using Corelight and/or other data sources across a dozen or more SIEMs is considerable, and can dramatically slow the process of getting detection insight into our users’ hands. Allowing Sigma to do much of that work for us should dramatically improve time-to-market – a critical factor in defeating adversaries on the network – as we bring more detection to our user base.

Of course, Sigma rules are just one of multiple new detection capabilities Corelight is focusing on. We announced earlier this month the inclusion of the well-respected Suricata IDS in our platform, directly integrated with our existing Zeek data for extremely rapid and highly automatable event resolution. We’ve also begun pouring resources into durable, protocol-level detections in Zeek scripts, with our Encrypted Traffic Collection, and work already in progress on more great content for our next release. 

Releasing detection content that works from multiple angles goes to a central reality of the modern SOC: no two setups are the same, with different toolsets, workflows, coverage gaps, and even different types of adversaries to fight off. By giving defenders multiple places and methods to do detections, we help them increase the chances that they’ll find attackers on their network early on, before real damage can be done.

Going forward, users can expect to see contributions from Corelight to the existing Sigma signature base, including through the SOC Prime Threat Detection Marketplace, a commercially supported community for Sigma signatures. Since contributions from the community are the lifeblood of open source, we would encourage others in the space to consider contributing to this worthy project as well. In the meantime, happy hunting to all the network defenders out there!

 

Recent Posts