A Sigma rules-based detection engine to block threats by identifying suspicious behavior.
Sigma’s rule-based Behavioral Engine enables analysts to set up and share rules describing techniques, tools, and procedures (TTPs), as well as attacker behaviors listed in cybersecurity frameworks such as MITRE ATT&CK.
Behavioral Engine detects:
The Sigma standard format rule-based Behavioral Engine identifies malicious programs and behaviors even if no signatures have been detected by the Signatures – YARA Engine, or no indicators of compromise by the IOC Engine.
This engine identifies variants of known viruses for which signatures or IOCs are unknown, or new viruses or programs that generate suspicious behavior.
The Sigma rules of the Behavioral Engine are developed, implemented, maintained, and enhanced over time by our Cyber Threat Intelligence (CTI) team, by operating system (OS) and by version.
This ongoing research and development contributes to the quality and value of the EDR, which offers full access to detection rules to enable analysts to identify the origin of alerts.
In addition, rules can be modified and enriched. Users can add rules from third-party sources, targeted to their own context or broader parameters to detect weak signals.
The Behavioral Engine takes events on workstations and servers as input and applies the Sigma rules developed by the CTI team to detect suspicious or malicious behavior, covering threats such as elevation-of-privilege techniques, data theft from browsers or processes, persistence, and more.
Sigma and YARA are rule formats for detecting threats – malicious behaviors and files (or binaries) respectively. What are the…
