Rules

[FrancescoFaenzi]

Where do I get the rules from, to avoid starting from scratch with my detection engineering? Is there a library I can start with: is Sigma ready to run for Marano? Is there something from marketplace like SOC Prime? I checked but seems not…
Asking the dev team and community to share their thoughts about this.
Thank you
Best

[shaeqahmed]

Currently Matano does not ship with managed detections / ingest configuration for common log sources, but this is on our roadmap and will be prioritized in a few releases.

Right now, you can follow the documentation to onboard a custom log source and write your first realtime detection using the Python detection-as-code format.

[FrancescoFaenzi]

Hello and first of all thank you for the kind answer.
I understand and I've definitely read how to write detections.
Trying to better explain my point: IMO it would be super to have a detection engine in Matano able to reuse the SIGMA detection library (https://github.com/SigmaHQ/sigma). Sigma rules already support lots of targets: https://github.com/SigmaHQ/sigma#supported-targets.
Similarly it would be super to have a detection engine supporting one of the SOC Prime formats: you can have a look here https://uncoder.io/ or here https://socprime.com/partners/.
This would speed up the detection engineering work and IMO the adoption of Matano as a framework. My 2 cents!

[Samrose-Ahmed]

Thanks for the info+links, this is very interesting. Let us do some more research and see how to best fit this in.

[Samrose-Ahmed]

We just added a Matano backend for Sigma. This allows users to convert Sigma rules into Matano detections. Check out the docs here: https://www.matano.dev/docs/detections/importing-from-sigma-rules

We will also work on integrating it into the sigma cli (pending upstream change) and add more Sigma pipelines.