Joe Security's Blog
Joe Sandbox + SIGMA
Published on: 29.10.2019
Is it true that Joe Sandbox supports Sigma? Yes, we have successfully integrated Sigma into Joe Sandbox. Sigma is available in Joe Sandbox Cloud and will be part of the upcoming Joe Sandbox v28 Lapis Lazuli release.
Do you know what Sigma is? If you don't, this blog post will help you get a better understanding.
Sigma in a Nutshell
Sigma is a generic and open signature format to detect malware and other security-related events in log files. Which are the log files currently supported?
- Firewall logs
- Operating System logs
- Proxy logs
- Web server access logs
For Windows, the operating system logs include:
- Sysmon events
- Event logs
- Process creation events
Logs are usually kept in a security information and event management system (SIEM). To search in your SIEM or log source, Sigma offers to convert your rule into a search query specific to your SIEM product (the target):
Currently, Sigma rules can be converted to the following targets:
- Splunk (plain queries and dashboards)
- ElasticSearch Query Strings
- ElasticSearch Query DSL
- Kibana
- Elastic X-Pack Watcher
- Logpoint
- Windows Defender Advanced Threat Protection (WDATP)
- Azure Sentinel / Azure Log Analytics
- Sumologic
- ArcSight
- QRadar
- Qualys
- RSA NetWitness
- PowerShell
- Grep
By supporting so many targets, Sigma has a tremendous advantage: one rule can be used in various SIEMs. This allows sharing, prevents vendor lock-in, and makes Sigma generic.
Sigma and Joe Sandbox
Okay, Sigma is great, but Joe Sandbox is not a SIEM! So how shall Joe Sandbox benefit from Sigma?
Well, Sigma is being used (among other things) to write threat detection rules for events such as Sysmon events, Windows event logs, and operating system process creation events. All those events are captured during the detonation of malware in a sandbox:
Well, Sigma is being used (among other things) to write threat detection rules for events such as Sysmon events, Windows event logs, and operating system process creation events. All those events are captured during the detonation of malware in a sandbox:
If the sandbox understands Sigma, a rule written to detect a threat on the endpoint (e.g. based on Sysmon data) could be also used to detect the threat in the Sandbox. Or the other way around, Sigma rules that were written for a sandbox can be applied to your SIEM! Isn't that fantastic? We truly think it is!
Sigma in Joe Sandbox enables any customer to write and share threat detection rules based on dynamic data/events even if they don't have a SIEM!
Joe Sandbox also supports Yara rules (including scanning of memory dumps). Yara for the binary world and Sigma for the dynamic world make a perfect combination.
Events
What Sigma rules can I write in Joe Sandbox? Joe Sandbox currently supports eight different events:
- Process creations (product: windows or linux or macos, category: process_creation)
- Sysmon: Process creation, Event ID 1 (product: windows, category: sysmon)
- Sysmon: Network connection, Event ID 3 (product: windows, category: sysmon)
- Sysmon: Remote thread creation, Event ID 8 (product: windows, category: sysmon)
- Sysmon: File creation, Event ID 11 (product: windows or linux or macos, category: sysmon)
- Sysmon: Registry key set, Event ID 13 (product: windows, category: sysmon)
- Powershell: Powershell Transcript Logging (product: windows, service: powershell)
- Windows Event Logs (product: windows, service: security|application|system)
A detailed description of the event fields can be found in our user guide under Sigma - List of events.
We have directly added Linux and macOS support for the process creation and file creation event. With that, you can write Sigma rules covering Linux and macOS threats!
Rules
Sigma rules are written in YAML format and have a very simple structure. Below you can see an example which uses the process creation event as input:
Joe Sandbox uses various optional meta attributes, such as threatname, behaviorgroup or id. This helps Joe Sandbox to identify threats and do proper classification. The level attribute impacts the verdict of the sandbox. For instance, many Sigma rules matched with a critical level will lead to an overall malicious verdict.
The heart of the rule is the detection definition which contains a selector with fields or lists. Fields and lists have great wildcard support. The condition is a Boolean expression which in case it evaluates to true, will lead to a rule match.
You can find a full specification of Sigma here.
Importing Rules
Importing Sigma rules is super easy. Note you don't need to convert any of the Sigma rules. Joe Sandbox understands Sigma natively.
To import a rule go to the Editor navigation tab. Then click Sigma:
You might either upload a Sigma rule as a .yml file or a zip of .yml files or alternatively specify a Github repository containing Sigma rules:
In this case, Joe Sandbox will always import the latest Sigma rule from that repository. Very handy for open source repositories!
Do you want to modify a rule? This can be easily done in the Sigma editor:
Sigma matches
Once you have imported a rule, you will find the Sigma matches for the new analysis in the full behavior report:
In the top navigation bar click on Overview - Sigma Overview:
Clicking on Show sources will tell you the underlying event responsible for the match:
Sigma Rule Feed
The events supported by Joe Sandbox cover currently around 70% of all community Sigma rules.
Joe Security itself started writing its own Sigma rules and decided to share all of the current and new rules with the community under the GPL license. You will find all our Sigma rules on Github: https://github.com/joesecurity/sigma-rules
Examples
We have uploaded the current Sigma and Joe Security community rules to Joe Sandbox Cloud Basic. You can easily search matched Sigma rules by using Joe Sandbox View, our threat hunting & search engine:
Via Sigma, Joe Sandbox found a sample using Get2Downloader, likely associated with TA505:
Or here, a Sigma based Wannacry detection via the open-source rules:
Joint Power
Sigma is great, it is generic and therefore allows to easily share threat rules. There is no vendor lock-in. Joe Sandbox's community rules, once converted, can be used to search in many SIEMs.
You can write your own Sigma rules and use them in Joe Sandbox. Simply upload them in the Sigma editor and you are ready to rock!
Joe Security has committed to open source all its major Sigma rules on the Joe Security Sigma Github Repo.