Hi,
I would like to implement Sigma rules for Intrust. Is there a convertert or is there a implementation already planned?
Hi Maximillian, indeed this is a very interesting question.
We've definitely been researching this past couple of years, we had a couple of PoCs which highlighted that it is going to be more complicated for InTrust rather than for other SIEM vendors. The thing is - most vendors are focused on just collecting the most important events and most important fields from them. InTrust is built in a way that you can collect any Windows Even Log preserving its entire structure. As a downside of that, the structure with which we collect event is not fully identical to the event fields usually defined in the SIGMA rules. So SIGMA rule event fields need to be converted for a specific event to the corresponding Insertion Strings that can be used in the InTrust rule.
But that's for rules, for search folders situation is a little bit different. I would say that Repository viewer is a good place to start composing a SIGMA-like search, you can search the specified in the SIGMA rule event log and drag and drop fields which are identified in the SIGMA rule from columns to the filters pane, then a corresponding filter can be specified directly from SIGMA rule for each field.
Once the Repository Viewer search is complete, you can actually launch it with "new_RV.exe /Support" to extract the REL query from the search folder and use it in the rule definition (rule can be created using the wizard and then match condition can be changed to the REL definition specified in the search folder
But the nice thing about InTrust that a lot of content available in the SIGMA project, already incorporated into the product. InTrust's "Suspicious process was started" is actually a unification of many SIGMA rules around process tracking in the Security log. PowerShell suspicious activity is also a generic rule, PowerShell downgrade attack and attempts to password spray are also defined using generic rules. Some of the search folders you see on the screenshot I added are also inspired by either SIGMA rules or recommendations from other cyber-security research agencies and independent organizations and researches.
Hope this answers the question, we would like to have a converter of course, but it is a little bit more difficult for InTrust because of the complexity and granularity with which it archives events to preserve their original evt structure.
