🚨𝗕𝗶𝗴 𝗱𝗮𝘆 𝗳𝗼𝗿 𝗗𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝗦𝘁𝗿𝗲𝗮𝗺. 𝗢𝗻𝗲 𝗼𝗳 𝗼𝘂𝗿 𝗹𝗮𝗿𝗴𝗲𝘀𝘁 𝗿𝗲𝗹𝗲𝗮𝘀𝗲𝘀 𝘆𝗲𝘁. The platform now supports official pySigma validation fully in-browser, compiled to WebAssembly. Same validation as sigma-cli. Thanks to @sifex from detection.studio for the inspiration behind the implementation. Here’s what we added: • 𝗦𝗺𝗮𝗿𝘁 𝗳𝗶𝗲𝗹𝗱 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻: Auto-suggests correct field names and catches typos before they become a problem. • 𝗘𝗮𝗿𝗹𝘆 𝗿𝘂𝗹𝗲 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 𝗶𝗻 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀: Invalid rules get blocked before evaluation, making the workflow smoother. • 𝟭𝟯 𝗻𝗲𝘄 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗲𝘀: x10 new Sigma and x3 new Suricata challenges • 𝗘𝗩𝗧𝗫 𝗽𝗮𝗿𝘀𝗶𝗻𝗴 𝗶𝗻 𝘁𝗵𝗲 𝗯𝗿𝗼𝘄𝘀𝗲𝗿: Powered by WebAssembly and based on LUMEN[1] by @KoifSec, letting you load and analyze .evtx files locally. • 𝗨𝗽𝗱𝗮𝘁𝗲𝗱 𝗦𝗶𝗴𝗺𝗮 𝗿𝘂𝗹𝗲𝘀: Synced with the latest upstream repository release. • 𝗦𝗺𝗮𝗿𝘁𝗲𝗿 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻: Placeholder detection, logsource taxonomy checks, and clearer error messages. • 𝗣𝗲𝗿𝗳𝗼𝗿𝗺𝗮𝗻𝗰𝗲 𝗮𝗻𝗱 𝘀𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗶𝗺𝗽𝗿𝗼𝘃𝗲𝗺𝗲𝗻𝘁𝘀: Faster, more consistent behavior across the whole platform. EVERYTHING is FREE, but don’t confuse free with low quality. A big step forward. Next up, our training module... Full changelog here: detectionstream.com/changelo… [1]: lumen.koifsec.me

logSourceが終売になると聞いたのでまだ少し残ってるが4本も買ってしまった😁 すごく残念 #Zenko #logSource #ログソース

飽きた！味変にログソース投入！！ めっちゃ美味しい！！！笑 #LOGsource

We’ve published a deep dive into how Aurora uses ETW to reconstruct structured event data for detection engineering The post covers: - ETW-based logsource mappings - Custom field enrichment (e.g., ProcessTree, GrandparentCommandLine) - Gaps in ETW coverage and where minimal Sysmon configs help - Practical detection use cases with full Sigma rules - Techniques for exploring ETW with --trace and writing custom rules 🔗 nextron-systems.com/2025/07/… by @_swachchhanda_ #Sigma #AuroraAgent #ETW #DetectionEngineering

LOGSAUCE？結局何なん？🤔💦って初見の方で思ってる人も少なからず居られると思いますのでぶっちゃけると基本BBQソースです😅　でも色んな料理の隠し味にもなったり餃子やハンバーグにかけても美味しいですよー😆　#LOGSOURCE　#ログソース　#辻善光

まさにこの状況を体験…。しかも主担当。まずSIEMって何？から始まり、SOCベンダーに構築を依頼するも、なんだかんだで直ぐに着手できず…でも、期限は切られてる。マニュアル片手に環境構築、LogSource連携、更に並行してインシデントフロー作成、体制構築…そして運用…やりきった自分を褒めたい💦

Do #SPCSS hledáme IT detektiva 🔎 Ví, o čem je: 💻 #CyberSecurity 💻 IT infrastruktura 💻 logsource management, pentesty, konfigurace, dtb, hardening, attack surface mngm,… ale hlavně SPRÁVA ZRANITELNOSTÍ. Prestižní práce i firma, fajn tým, výhody atd.⏭ 1url.cz/M1Nof

sigma logsource-guides Eventlog This logsource guide describes how to enable the necessary logging to make use of SIGMA rules that leverage the security service. github.com/SigmaHQ/sigma/blo…

Windows logsource-guides by @sigma_hq github.com/SigmaHQ/sigma/tre…

🪄New #SigmaHQ r2024-03-11 release is here. 🌟28 New Rules 🛡️5 Rule updates 🔬 5 Rule Fixes Here is a snippet from this release - New rules detecting GitHub "Secret Scanning" or "Push Protection" feature disabling. - New logsource and set of rules leveraging OpenCanary logs. - Increased coverage for a couple of old DLL loading rules. - Tuning for DLL sideloading based rules. And much more 🚀 You can read about this by checking the release highlight blog -> blog.sigmahq.io/sigmahq-rule… Or check the full change log and start exploring this, by downloading the latest release -> github.com/SigmaHQ/sigma/rel… A special thanks to the many contributors that helped shape this release, specifically @benmontour @CrimpSec @DefensiveDepth @faisalusuf @frack113 @qasimqlf @AltgeltMax, snajafov, swachchhanda000, tr0mb1r, @X__Junior

Come join us this Friday to talk about how to process a report and extract detection and look for detection opportunities and ideas. One of the things that i'm fascinated by when looking at a threat report is your perspective will change depending on your level involvement in the detection pipeline. Are you only covering the procedure? Or do you care about different implementation? do you have time to study the technique and find better indicators? What about the logsource does this technique emits a process creation / file event / dns ? All interesting questions. That i'll try to discuss this Friday😁

only Detection Engineers really know what logsource means

With the Aurora agent (nextron-systems.com/aurora/) we subscribe by default to this provider. Which means you can write sigma rules using the following logsource product: windows service: amsi You'll have access to all fields such as Content, Appname, ScanResult... And the matches are outputted in the event logs.

Starting today, if you know one of the SIEM, EDR or Data Lake languages, you know them all! Dear industry, please meet RootA roota.io RootA is a public-domain language for collective cyber defense, created to make threat detection, incident response, and actor attribution simple. It acts as an open-source wrapper on top of most of the existing SIEM, EDR, XDR, and Data Lake query languages. If you learn the basics of RootA, you will be able to contribute to collective defense. And if you have mastered a specific SIEM language, with RootA and Uncoder.IO you can speak them all. Inspired by success of Yara and Sigma rules, RootA is focused on a broader applicability by a larger community of defenders. RootA is expressed using YAML, a wide-spread, easy-to-write and human-readable format. Use any query language for detection, Uncoder.IO will take care of the translation. Correlation support. Common correlations are supported by RootA in order to make detection logic harder to bypass by the attackers, more compute efficient and future proof. Log sources can be explicitly or implicitly defined in the native query itself or in the customizable logsource field. RootA syntax fully accommodates #OCSF and #Sigma providing maximum compatibility for Detection Engineers. Threat Actor Timeline. While Actors change, behaviours often stay the same. RootA supports an additional threat intelligence layer for CERTs, NCSCs, ISACs, MDRs, and Defence Agencies, to coordinate defence faster and with greater precision. Mapping to TTPs. Link detection logic to related tactics, techniques, and procedures in terms of MITRE ATT&CK®. You can start writing RootA rules in any code editor that supports YAML. To translate RootA rules to other languages use Uncoder.IO by building it from source github.com/UncoderIO/Uncoder… or hosted online privately by SOC Prime since 2018 at uncoder.io I am beyond grateful to everybody on SOC Prime team, our customers, friends, families and Sigma community for your ongoing support, belief, inspiration and feedback. Special gratitude to Alex Bredikhin Ruslan Mikhalov Adam Swan and Roman Ranskyi for working on the language specification and designs together. Nothing is impossible! Source github.com/UncoderIO/RootA

.@m3nixx and I took some time this weekend to cook something cool for Sigconverter sigconverter.io 🧑‍🍳 You can now apply custom pySigma processing pipelines directly on the website. You might ask what does this mean? Custom processing pipelines allows you to transform a SIGMA rule before it is converted to the target backend. 🧙‍♂️ These transformation might include Field Mapping, LogSource Change, Replace Strings....etc. 🚀 These would allow you to customize the Sigma rule output exactly to your environment needs. You can read more about these pipelines and how to leverage them in this @sigma_hq blog -> blog.sigmahq.io/connecting-s… The best thing about this is that with the recently announced sharing feature. You can now create a bookmark with an already saved pipeline and every time you want to convert a rule it'll be applied 🔥 We'll also be enabling the post processing templating feature in the coming days for a more customizable output. Stay tuned 🕑

A nice blog post from Jonny & Carlos 💙 Wanted to add that the Aurora agent captures by default the Microsoft-Windows-LDAP-Client ETW logs. You can write Sigma rules using the logsource product: windows service: ldap All events are exposed. So you can specify EventID: 30 for example to capture some of the search filters mentioned in the blog and get alerts in the event log or you can forward them to your Siem for more correlation :)

I've done a little housekeeping in the @sigma_hq rules for the 𝙧𝙚𝙜𝙞𝙨𝙩𝙧𝙮_𝙨𝙚𝙩 logsource. You don't need to put `EventType: SetValue` and even less `EventID: 13` in your detection part. Check : github.com/SigmaHQ/sigma-spe… Don't hesitate to contribute, bring up the FPs 😀

I have add a little GUI POC for my github.com/frack113/sigma_lo…. It is my first python QT ,don't hope to much 😅 But you can see how to select @sigma_hq rules by logsource with simple questions.

Thanks to DustInDark and Fukusuke Takahashi, the latest Hayabusa v2.3.1 now supports all used pipe keywords and condition statements. The last thing is to support the logsource keywords and then it will completely natively support sigma rules. (No conversion necessary!)

Logsource and Detection guides as well as detection validation, rule releases, and much more are all coming to SIGMA in the next couple of months. It's gonna be good 🔥