Examples of Correlations

[joshnck]

I'm working through the documentation and generally understand the reason behind the change in removing | but I don't really understand how the newer correlation method works. Are they any examples of live rules that are using the new correlation method?

In the documentation examples:

title: Failed login
id: 0e95725d-7320-415d-80f7-004da920fc12
action: correlation
type: value_count
field: User
group-by:
    - ComputerName
    - WorkstationName
timespan: 1d
condition:
    gte: 100

Does this replace the logic of an entire Sigma rule? Or does this reference the Sigma rule Failed login and generate a new query based on the results, grouped by ComputerName or WorkstationName greater than 100? Or does this get appended to the end of the already existing Sigma rule and somehow reference the logic of the original Sigma rule?

Are there any live examples in the Sigma repo that I can look at and compare while I'm building my own?

Additionally, and this is a question for maybe a different repo, is this supported already in PySigma? If so, which release version so I can make sure my environment supports this feature too.

[nasbench]

Hi,

The SIGMA V2 correlation "proposal" is still a work in progress and shouldn't be used in production. The main rule repo isn't using the new correlation and we've deprecated the older correlation rules as we're transitioning to PySIGMA. Also, this feature is not yet implemented in PySIGMA and it's still under construction and discussion :)

Now to answer your question about how it works. (this could and will change in the future).

Basically there are many correlation types and depending on the type of correlation some fields will be required or added.

In the example, you linked it's a value_count correlation rule. So it needs a field to count on and a grouping designated by the group-by (a condition to group similar events).

If you change the type of the correlation then other fields would be required or removed.

For example if you choose a Temporal Proximity type. Then you could link multiple "traditional" SIGMA rules and say give me an alert if X,Y,Z rule trigger in the span of 5 minutes.

action: correlation
type: temporal
rules:
    - recon_cmd_a
    - recon_cmd_b
    - recon_cmd_c
group-by:
    - ComputerName
    - User
timespan: 5m
ordered: false

Hope this answer your question :)

[joshnck]

Excellent answer - I look forward to SIGMA V2! Do we have an idea on when it will be available?

In the meantime, I'll do some Splunk magic and append my stats commands at the end of my Sigma rules in our production use.

[nasbench]

We're aiming for an end-of-the-year full transition to PySIGMA (hopefully).