RegEX, Sigma, Yara, Snort/Zeek/Bro

RegEX, Sigma, Yara, Snort/Zeek/Bro

Yara

SIGMA

ArcSight SIGMA support

  • With ESM 7.2.1, the initial phase of integration has been completed.
  • The ability to *paste* text into the Common Conditions Editor (Java Console) of ESM Console, is now available.
  • ArcSight external rule (cost) assessment tool
  • Customer is interested in having crowd-sourced SIGMA rules from the web (GitHub, partner web page, competitor’s page, etc…), within one of the following ArcSight solutions:
  • ArcSight Logger (search and hunt queries)
  • ArcSight ESM (realtime correlation rules)
  • Option #1 (Logger search queries) actually always worked (and it still works), as all you needed to do was find a way of converting from SIGMA to ArcSight Logger keyword (using the free website www.uncoder.io or other techniques)
  • Option #2 was the issue, as ESM did not allow “pasting” of “free text”.
  • That feature is now in ESM 7.2.1.
  •  ‘free-text’ form that we then can paste in to ESM v7.2.1.?
  • ESM Content Authoring – https://community.microfocus.com/t5/ArcSight-User-Discussions/ESM-Content-Authoring-Best-Practices/td-p/1619362
  • Basically, when you create a brand-new rule, within the “Conditions” tab, you can right-click the empty “event1” and the new option “New Plain Text Condition” will come up.
  • If you paste the plain text (step 3), and click the “Add to CCE” button, you will have the new rule auto-generated, within the visual CCE editor – see step 5 below.

That’s the Wov moment.

REGEX

Resources

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.