Share platform SIEM agnostic detection content: Best practices and tips

Most attacks on IT systems and networks manifest themselves in event logs stored in the SIEM systems or other log storage and analysis solutions. This makes SIEM a crucial tool to detect and alert against intruders. SIEM detection rulesets existed in the vendor or platform-specific databases in the earlier days. The growing demand for up-to-date detections and analytics to be secure today requires sharing detection intelligence between different stakeholders and vendors. Sigma solves this challenge to make the queries and rulesets platform-agnostic.

How to write share platform SIEM agnostic detection content.

Using Sigma enables you to be vendor-agnostic, rather than having to change your Infosec Evaluation Methodology (IEM) and repeating rule development. It also provides a level of future proofing: if and when you adopt another SIEM platform, you can take the detection rules with you.

Picus also provides actionable mitigation content. Picus provides prevention signatures to address gaps in preventive security controls, log sources and log validation to address gaps in log generation and collection, detection rules and detection validation to address detection and alerting gaps. So, you can collect required logs, write detection rules, generate alerts using the mitigation content provided by Picus. Moreover, Picus presents search queries for threat hunting. So, you can use these queries to hunt for adversary TTPs, such as the DarkSide TTPs listed in this document, in your SIEM or EDR. 2ff7e9595c