![]() I crafted the following docker-compose.yml file to help me build the infrastructure on the fly using Docker Compose: I’ll use the BOTSv3 data set to demo the creation of Sigma rules and data source configuration. splunk: A Splunk search head and indexer with Splunk BOTSv3 dataset installed at runtime.This will be used to build and deploy detection content using additional docker containers. gitlab-runner: A GitLab runner container for running CI/CD pipelines.I’ll use this as the VCS for detection content and for supervising the CI/CD pipeline. gitlab: A GitLab Community Edition container.To build the pipeline, I’ll provision the following three Docker containers and a docker network named “dacnet” to provide version control, CI/CD, SIEM infrastructure, and connectivity between them: In my pipeline, I’ll use sigmac to convert Sigma rules to their Splunk-friendly SPL counterpart. Custom backends can be created for virtually any detective control that accepts detection logic. The Sigma project includes sigmac, a powerful Python command line tool that can convert Sigma rules for use by controls like Splunk, Devo, ELK, and CrowdStrike using “backends”. ![]() Simplicity: Threat Detection analysts will only need to master one standard for creating detection content.Sharing: Sigma rules can easily be shared with or received from other organizations.Scalability: one Sigma rule can be deployed to many discrete SIEMs, EDRs, NDRs, XDRs, and whatever “DRs” that have yet to be invented.For my Detection-as-Code pipeline, I chose to use the Sigma for creating detection content for a few reasons: The rules are written in structured YAML format, making it easy for both human and system consumption. Sigma is an open source project that defines a standard and vendor-agnostic format for developing detection content. This is not a step-by-step guide if you plan to follow along and build a Detection-as-Code pipeline based on what I demonstrate here, you’ll need to have a foundational understanding of Docker, GitLab, Git, Python, Sigma Rules and YAML. Instead, this article will walk you through an example of how an organization can deploy a Detection-as-Code pipeline using Sigma rules, GitLab CI/CD, and Splunk. Anton Chuvaki and Kyle Bailey have both written excellent Medium articles that detail its benefits and how it can improve a Threat Detection operation by enabling better collaboration, testing, deployment and lifecycle management of detection content. I won’t get into the details of why Threat Detection teams should consider implementing Detection-as-Code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |