Hello!
There is a project confluent-sigma on Github, that process Sigma Rules to identify anomalies on source data with Kafka Streams prior to sending to SIEM. Also there are several articles about it.
I wonder, does anybody use Confluent Sigma in production? Does anybody use it to detect anomalies in MS SysMon events in Kafka?
Please share your experience.
Thank you in advance!
Igor, I am one of the main committers on the project. There are a currently a couple of organizations using this in production, and at least 4 other organizations that are looking to start using it. Like Sigma Rules, the project is data set agnostic and so it should work with SysMon just fine. Given a specific set of data and sigma rules I would be glad to verify and add tests for you. If you are on the Community Slack server you send me a message on the #sigma channel or directly to @wtl
Hello, Will!
I’ve report an issue to project confluent-sigma on Github. It seams, that Sigma Loader ignore “category” field in rules and expect “service” filed, which is absent in all rules for SysMon. So loader assign NULL to “service” field and we get an error, while running confluent-sigma application.
Please check it.
Thank you!
Will take a look today and get back to you. I assume you are running against the MAIN. Are you on slack because if so that might be a better way to communicate with us. Or you can email me directly will@confluent.io
Just adding another comment to this thread to close it out here. This is related to a bug in an old version where we required a service field (which is not a required sigma field).