Detection Guide

The architecture of detection:

20210518_s1em_archi--detection

Detection with Sigma:

In the solution of S1EM, the sigma rules are automatically injected into Kibana.

Rules Sigma

With the git sigma of Frack113, we have informations for the supervisors like the url of rule of sigma, or additional tags

Rules Sigma Example

For the example, i do a "Whoami":

Whoami exemple

I have the detection of my Whoami in the interface of Kibana:

Whoami detection

If you click on the analyzed icon of Kibana:

Whoami detection_analyzed

You have the full way of the "Whoami":

Whoami analyzed

Now, if you want to send the alert to TheHive, you must select the alerts and click on "Take action", select "Mark In progress":

Alert_mark_in_progress

Your alert arrives in TheHive:

Alert_send_to_thehive

You can click on "Preview import" for see the alert:

Alert_thehive

Detection with Elastic Rules:

If you want to use the rule of elasticsearch, go to Kibana Interface.

Security >> Detections >> Manage Detection Rules >> Load Elastic prebuilt rules

Detection with Suricata:

With S1EM, the "suricata-rules.ndjson" in the folder sigma is imported into Elastic SIEM and you can have the detection of suricata:

Detection Suricata

If you click on the "Detection suricata", you have the detail of the rule:

Detection Suricata Details

Now, you have in Elastic SIEM, the alerts of "Suricata":

Detection Suricata Elastic SIEM

Detection with Indicator of compromise:

With S1EM, the "ioc-rules.ndjson" in the folder elastic is imported into Elastic SIEM and you can have the detection with the indicator of compromise from Misp:

Detection Ioc

Detection with Yara:

Detection Yara

s1em

Provide feedback

Saved searches

Use saved searches to filter your results more quickly