This functionality is available on computers running Windows 7 or later or Windows Server 2008 R2 or later, if there is an active Kaspersky Industrial CyberSecurity for Nodes license key with the EDR Optimum and ICS Telemetry licensed objects.
For anomaly detection using Sigma rules, you must enable the following components: Real-Time File Protection, Exploit Prevention, Remediation Engine.
Sigma is a format for describing anomaly detection rules that Kaspersky Industrial CyberSecurity for Nodes uses to analyze data from internal events and event logs. Rules written in Sigma format are called Sigma rules. Each Sigma rule is stored in a separate YAML file.
Sigma rules are written in YAML and have a unified structure. This allows specially created converters to generate rules in the syntax of various SIEM systems based on Sigma rules.
The table contains basic information about the attributes and sections of a Sigma rule, which are interpreted by Kaspersky Industrial CyberSecurity for Nodes. For more detailed information, follow this link.
Attribute values are case-sensitive. For example, Kaspersky Industrial CyberSecurity for Nodes treats the names of the executable files AnyDesk.exe and anyDesk.exe as different.
Sigma rule structure
Attribute / Section |
Required |
Description |
||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Yes |
The rule name, which indicates what it detects. The maximum length is 256 characters. For example:
|
||||||||||||||||||||||||||||
|
No |
The rule's globally unique identifier. For example:
|
||||||||||||||||||||||||||||
|
No |
Rule status. Possible values: For example:
|
||||||||||||||||||||||||||||
|
No |
A description of the rule and the malicious activity it can detect. The maximum length is 65,535 characters. For example:
|
||||||||||||||||||||||||||||
|
No |
License ID according to the SPDX ID specification. The rule is published under the terms of the specified license type. |
||||||||||||||||||||||||||||
|
No |
Any specifier that indicates the author of the rule. For example, first name and last name, nickname, social network ID. |
||||||||||||||||||||||||||||
|
No |
Link to the source the rule was taken from. For example, a blog article or white paper. |
||||||||||||||||||||||||||||
|
No |
Date when the rule was created in YYYY/MM/DD format. |
||||||||||||||||||||||||||||
|
No |
Date in YYYY/MM/DD format when one of the following rule attributes was changed: |
||||||||||||||||||||||||||||
|
No |
Tag for categorizing the rule. Read more at this link. |
||||||||||||||||||||||||||||
|
Yes |
In this section, you can define the source of events that the application will search for anomalies. The main attributes of this section are Event sources that Kaspersky Industrial CyberSecurity for Nodes supports Event sources supported by Kaspersky Industrial CyberSecurity for Nodes
In Microsoft Windows 7, for Read more at this link. |
||||||||||||||||||||||||||||
|
No |
Defines the category of products whose event logs the application searches for anomalies. For example: firewall, internet, anti-virus, or generic.
|
||||||||||||||||||||||||||||
|
No |
Defines the software product or operating system whose event logs the application searches for anomalies. For example:
|
||||||||||||||||||||||||||||
|
No |
Defines a service whose event logs the application searches for anomalies. For example:
|
||||||||||||||||||||||||||||
|
No |
Description of the specifics of the source of event logs that application searches for anomalies. |
||||||||||||||||||||||||||||
|
Yes |
This section contains one or more criteria for searching for anomalies in event logs and a rule triggering condition. Lists, dictionaries, or a combination of them can be used as search criteria. Kaspersky Industrial CyberSecurity for Nodes does not support the |
||||||||||||||||||||||||||||
list |
No |
A list of the values of any parameter from the event log, combined by a logical OR. For example:
In accordance with the condition, the following matches will be searched: |
||||||||||||||||||||||||||||
dictionary |
No |
event log parameter - value pairs. They are connected by a logical AND. For example:
In accordance with the condition, the following matches will be searched: EventLog='Security' AND Event ID=517. |
||||||||||||||||||||||||||||
combination of list and dictionary |
No |
A list consisting of event log settings values and dictionaries. For example:
In accordance with the condition, the following matches will be searched: EventLog='Security' AND (Event ID=517 OR Event ID=1102) |
||||||||||||||||||||||||||||
|
Yes |
Rule triggering condition. For example:
|
||||||||||||||||||||||||||||
|
No |
Lines from the event log that may be of interest to an analyst for subsequent analysis of the event. |
||||||||||||||||||||||||||||
|
No |
List of known scenarios that may incorrectly trigger the rule. For example:
|
||||||||||||||||||||||||||||
|
No |
An indicator of the severity of anomalies that can be found using the rule. Possible values: |
title: Downloading files using CertUtil.exe
id: 89346938-3b2f-46c7-bb38-b9f244e3fad0
status: test
description: Detects file downloads using CertUtil.exe.
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
author: Kaspersky
date: 2024-05-22
tags:
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Legitimate actions of the system administrator.
level: low
A collection of Sigma rules is a set of Sigma rules that define similar events.
Kaspersky Industrial CyberSecurity for Nodes analyzes data from internal events and event logs to find anomalies using collections of Kaspersky-supplied Sigma rules and the application databases, and using collections of Sigma rules created by the user.
When using some Sigma rules, the application can make changes to the security audit policy of the protected computer - part of the local Windows security policy.
Page top