Table of contents
- SIGMA for the new detection workflow
- The Observables page is getting a makeover
- Export relationships in MITRE ATT&CK format
- We detect offensive security tools
- A continuous improvement of our CTI base
SEKOIA.IO aims to be as close as possible to the users of the platform, meeting their needs in a precise way, while taking into account their approach and user experience. In this dynamic, the platform continues to reinvent itself and evolve by regularly integrating new features while improving existing features. Discover in this article, all the news published in December 2021.
SIGMA for the new detection workflow
Improved detection, choose the SIGMA detection language to facilitate the setup of your custom rules!
SEKOIA.IO’s detection workflow was historically based on the STIX patterning format, today we include SIGMA support to:
- Facilitate the writing of detection rules by automatically generating a rule in SIGMA format when selecting the desired fields in the “Details” tab of an event.
- Simplify the reading, understanding and writing of SIGMA rules, a more common and unified detection language.
- Write detection rules based on the same data model as the events, which remains the ECS.
- Ensure more stability and performance at the detection level.
Faster investigation, use the assets created in SEKOIA.IO to enrich the events!
To make your investigations easier and more efficient, the new enrichment feature will allow you to have more context in your events thanks to the different assets created in SEKOIA.IO.
Tags associated with known observables in the Intelligence Center will also be available to provide more information on different attributes for a better understanding of the event.
The Observables page is getting a makeover
Not only a new design, but also more features!
As you already know, observables complete your IoC-based investigation. We’ve linked the two! You can see which threats are related to an observable by viewing its relationships in the “Related Threats” tab.
To make it even easier to use them, you now have the option to:
- Filter observables by type, tag and source.
- Copy information related to observables such as ID or name in a single click.
- View or copy to an observable’s JSON file more quickly.
- Find threats associated with observables through the “Related Threats” tab to be redirected to the Intelligence page for maximum context.
Export relationships in MITRE ATT&CK format
In addition to CSV and JSON Lines, you can now export relationships in MITRE ATT&CK format. You can select one or more object types, or export them all in the format you prefer.
We detect offensive security tools
Thanks to the new trackers and detection rules deployed this month, SEKOIA.IO has improved our system and network detection coverage of offensive tools like Covenant, Koadic and Sliver.
Two FLINT reports have also been published detailing how Covenant and Sliver work, and how they are used by cybercriminals and APTs.
A continuous improvement of our CTI base
An update of our Hatching Triage playbook has allowed our analysts to add to our CTI platform database the hashes of the last 6 months and samples related to 35 families of malware and ransomware.
This playbook is also run automatically on a daily basis to retrieve and integrate into SEKOIA.IO the hash and malware/ransomware configuration of the latest samples published on the Triage sandbox.
Read other blog post :
- SIGMA, design et MITRE ATT&CK… nouveautés de la plateforme XDR et CTI
- What is cyber threat intelligence (CTI)?
- Improving Threat Detection with Sigma Correlations
- Amélioration de la détection des menaces avec Sigma correlation
- Detail of an alert, observable database, new exclusive source … the novelties of October 2021
- Threat Intelligence is not (only) on a spectrum