Sigma Rules are an open specification for describing malicious/anomalous activity. Tactical Defense Software uses these rules to alert your customers to possibly malicious or anomalous activity on a system.
Proprietary Rule Engine#
Tactical Defense Software has created a proprietary rule engine to allow Sigma Rules to be directly applied to logs as they are ingested. Unlike the standard method of occasionally polling a SIEM (like Splunk or Elasticsearch) to see if logs match a rule, Tactical Defense Software matches logs to rules in realtime.
Updating Rules#
New rules from the community repository are integrated into the system on a daily basis. New and updated rules are then back-tested against existing logs to look for matches. Any matches that occur, trigger the callback specified.
Callbacks#
A webhook endpoint must be specified by the vendor to receive alerts when logs are ingested into the system that match
a rule. The endpoint is sent a POST
request with the following payload when a rule matches:
{
"rule_uuid 1": [ "log_uuid 1", "log_uuid 2", ...],
"rule_uuid 2": [ "log_uuid 3", "log_uuid 4", ...],
...
}