Sources Material for write SIEM, IPS, IDS and others devices Rules

admar

Well-known member
Jan 18, 2022
168
140
12,050
Luanda
Hi buddy / mates

In recent times cybersecurity companies are recruiting people with domain and skills in writing rules for SIEMs, IDS, IPS and others. The writing of these rules, on the one hand, helps to avoid false positives, good reading of log messages to better understand events on the network and, on the other hand, to comply with corporate internal policies.
To further emphasize, I believe it is a new skill for Cyber Security Analyst (BlueTeam).

I believe that compTIA could focus on this in their certifications such as: A+, Net+, Sec+, CySA+, Data+

Are there any sources of information, training or guides that would help an analyst to have the skill to write rules on security devices?
 
I would say some of that is a bit more than what would be called for on an exam. CompTIA, historically, does not go into how you do something with a particular product, so if you're using SIEMs like SolarWinds and Splunk are going to be pretty specific. So writing rules for these systems are going to be germane to those systems, not common between both. Same situation with IDS/IPS systems. CySA certainly never didn't go that deep. Just needed to know what a SIEM was, who were the major players, why I'd put one in place, and so forth.

Knowing the difference between IPS and IDS systems is a common distinction where CompTIA likes to stick questions. But the contrasts between various IPS/IDS solutions start wading into that vendor-specific pool a bit too much.

So to answer your question, I would have to say your best bet is to read the product documentation for the most popular ones. Much of that is freely available. Watching videos and studying that would help. However, without the software handy, the learning is very much academic in nature.

/r
 
  • Like
Reactions: admar
I would say some of that is a bit more than what would be called for on an exam. CompTIA, historically, does not go into how you do something with a particular product, so if you're using SIEMs like SolarWinds and Splunk are going to be pretty specific. So writing rules for these systems are going to be germane to those systems, not common between both. Same situation with IDS/IPS systems. CySA certainly never didn't go that deep. Just needed to know what a SIEM was, who were the major players, why I'd put one in place, and so forth.

Knowing the difference between IPS and IDS systems is a common distinction where CompTIA likes to stick questions. But the contrasts between various IPS/IDS solutions start wading into that vendor-specific pool a bit too much.

So to answer your question, I would have to say your best bet is to read the product documentation for the most popular ones. Much of that is freely available. Watching videos and studying that would help. However, without the software handy, the learning is very much academic in nature.

/r
I do agree with Rick that doing into vendor specific details gets messy pretty quickly and furthermore exam candidates would have to memorise tons of vendor specific information which may be irrelevant for the job. I have been suffering from this with the Certified Network Defender and I am grateful that CompTIA stays away from that. Please keep it that way.

However, the point @admar makes is valid: We are looking at (generic) firewall rules in some certs, we could and maybe should do the same thing for SIEM rule writing. There is a vendor agnostic, open source language called Sigma for doing so which might be a good candidate for inclusion in the next revision. Have a look at the project website and the Youtube video there: https://github.com/SigmaHQ/sigma .

Cheers,

Andreas