Skip to main content

3 posts tagged with "sigma"

View All Tags

· 6 min read
Jose Luis Sánchez Martínez

TL;DR​

I have created a new script to automate the ingestion of IOCs in MISP in object format. This script also automatically consumes information from VirusTotal to enrich the IOCs in case of exist in VT. However, the most interesting thing about this script is that it is able to automatically obtain the Sigma rules and MITRE techniques of the IOCs that we want to store in MISP, and add this information as Galaxies.

The stored galaxies are at the event level and at the object level, i.e. the event will have the total number of galaxies related to Sigma rules and MITRE techniques. Each object will have only the galaxies related to its behavior.

All you need to use the script is a VT API Key and to have the Sigma and MITRE galaxies in your instance. Since 2022-11-28 the Sigma galaxy is embedded in the default version of MISP. In case you don't have it, I recommend you to read this blog and use the script I made to create the sigma rules galaxy.

· 4 min read
Jose Luis Sánchez Martínez
ICYMI

Before reading this blog I recommend you to read the first part of it: https://jstnk9.github.io/jstnk9/blog/Sigma-Rules-as-MISP-galaxies

MISP has already added this galaxy to its repository.

Cluster: https://github.com/MISP/misp-galaxy/blob/main/clusters/sigma-rules.json

Galaxy: https://github.com/MISP/misp-galaxy/blob/main/galaxies/sigma-rules.json

Version 2.0

During the last weeks, I have been working on the script to improve it and to allow in this new version that I have recently published, the possibility to add relations in the galaxy with another already existing MITRE ATT&CK. This, among other things allows to know in a quick and visual way which sigma rule is related to which technique within MISP.

Suppose you have an event in MISP that is mapped to 5 MITRE ATT&CK techniques. Now, by clicking on those techniques and expanding the relationships, you will be able to see if there is any sigma rule that can cover any behavior of the expanded technique.

· 7 min read
Jose Luis Sánchez Martínez

A threat intelligence analyst's brief

In the threat intelligence world, we are continuously analyzing threat actors and threats in general that impact different sectors. From a threat intelligence analyst's point of view, it is important to know the motivations, objectives, TTPs and the overall context of the intrusion.

The results produced by these analysts are usually well defined. Frequently, a report is generated with a series of sections, where some of them are usually conclusions, recommendations, countermeasures.... Perhaps the least fun part for a threat intelligence analyst.

Also, in many cases additional products are generated and sent along with the report, such as STIX files with the analysis information, CSV files with IOCs, YARA rules and others. Another thing that most threat intelligence teams do is to dump all the information from the report into MISP including TTPs, IOCs and context information to help categorize, filter and relate the events.

From a threat intelligence point of view, our work should stop there. However, when it comes to generating a good security strategy, it is important to be able to map the techniques and behaviors identified in each intrusion with different types of rules, whether they are network or behavior-based endpoint rules.