Sigma playbook - group by #14579
Sigma playbook - group by
#14579
Replies: 1 comment 2 replies
-
|
Is there a way in SIGMA rules in SIEM to trigger an alert only when an event occurs a specific number of times? |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
Unfortunately, that is not yet supported - as it says in the Sigma page you linked, that is only supported in a small number of backends and Security Onion uses EQL, not ES|QL. |
Beta Was this translation helpful? Give feedback.
-
|
So how do you handle it when you want to write a rule that, for example, should trigger an alert when someone tries to guess a user's domain password? |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.140
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
32
RAM
64G
Storage for /
250G
Storage for /nsm
20TB
Network Traffic Collection
tap
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
I'm switching from Wazuh to Security Onion 2.4 and need to rewrite some of the rules. Can someone help me write a Sigma playbook that will trigger if a certain event occurs x times within, for example, 5 minutes?
I tried using the example from this page: https://sigmahq.io/docs/meta/correlations.html, but unfortunately it doesn't convert properly.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions