Skip to content

Sigma Rules are an open specification for describing malicious/anomalous activity. Tactical Defense Software uses these rules to alert your customers to possibly malicious or anomalous activity on a system.

Proprietary Rule Engine#

Tactical Defense Software has created a proprietary rule engine to allow Sigma Rules to be directly applied to logs as they are ingested. Unlike the standard method of occasionally polling a SIEM (like Splunk or Elasticsearch) to see if logs match a rule, Tactical Defense Software matches logs to rules in realtime.

Updating Rules#

New rules from the community repository are integrated into the system on a daily basis. New and updated rules are then back-tested against existing logs to look for matches. Any matches that occur, trigger the callback specified.

Callbacks#

A webhook endpoint must be specified by the vendor to receive alerts when logs are ingested into the system that match a rule. The endpoint is sent a POST request with the following payload when a rule matches:

{
  "rule_uuid 1": [ "log_uuid 1", "log_uuid 2", ...],
  "rule_uuid 2": [ "log_uuid 3", "log_uuid 4", ...],
  ...
}