We are happy to share that our engineering team has contributed a translation backend for DNIF HYPERCLOUD to the popular open-source Sigma rules project. The pull request was merged by Thomas Patzke, who along with Florian Roth, tirelessly maintains this project that provides an open signature format and supporting tools that enable the security community to describe, share and operationalize threat detection methods.
What does it enable?
You can use the sigma converter utility “sigmac” to translate sigma rules for indicators of attack and compromise provided by the sigma project as well as community researchers, third-party consultants, and services such as SOCPrime into DNIF native query language(DQL).
How do you use it?
The DNIF backend converts Sigma rules to the DNIF queries, with the identifier as dnif
The configuration will define the field mappings, value mappings and source mappings. see tools/config/dnif.yml
You can check out how to use Sigma rules with DNIF HYPERCLOUD here:
tools/sigmac -t dnif -c tools/config/dnif.yml rules/network/firewall/net_firewall_high_dns_requests_rate.yml
What does this mean for our customers?
Security Engineering talent is hard to come across — and it’s even harder to keep track of the latest threats, understand how they work and be able to devise, test, and maintain effective detection. Projects such as sigma help the industry at large overcome the skill shortage and maintain an edge against increasingly commercialized adversarial operations.
About DNIF HYPERCLOUD
We are inspired by how the Sigma project enables the security community and industry to improve cyber defense capabilities by providing open access to threat detection methods. DNIF HYPERCLOUD aims to take that a step further by making security analytics more accessible, practical and economical to everyone by providing the most affordable and the most scalable security analytics and automation platform.
While most SIEM solutions claim to be able to scale hardware, operations and licenses to support ever-increasing log volumes, DNIF HYPERCLOUD turns terabyte-scale daily log ingestion into the starting line allowing customers to eliminate log collection blindspots.