Sources Material for write SIEM, IPS, IDS and others devices Rules

Jump to latest Follow Reply
admar

admar

Well-known member
Jan 18, 2022
168
140
12,050
Luanda
#1
Hi buddy / mates

In recent times cybersecurity companies are recruiting people with domain and skills in writing rules for SIEMs, IDS, IPS and others. The writing of these rules, on the one hand, helps to avoid false positives, good reading of log messages to better understand events on the network and, on the other hand, to comply with corporate internal policies.
To further emphasize, I believe it is a new skill for Cyber Security Analyst (BlueTeam).

I believe that compTIA could focus on this in their certifications such as: A+, Net+, Sec+, CySA+, Data+

Are there any sources of information, training or guides that would help an analyst to have the skill to write rules on security devices?
 
  • Like
Reactions: Ramaguru Radhakrishnan and Fanuel
#3
I would say some of that is a bit more than what would be called for on an exam. CompTIA, historically, does not go into how you do something with a particular product, so if you're using SIEMs like SolarWinds and Splunk are going to be pretty specific. So writing rules for these systems are going to be germane to those systems, not common between both. Same situation with IDS/IPS systems. CySA certainly never didn't go that deep. Just needed to know what a SIEM was, who were the major players, why I'd put one in place, and so forth.

Knowing the difference between IPS and IDS systems is a common distinction where CompTIA likes to stick questions. But the contrasts between various IPS/IDS solutions start wading into that vendor-specific pool a bit too much.

So to answer your question, I would have to say your best bet is to read the product documentation for the most popular ones. Much of that is freely available. Watching videos and studying that would help. However, without the software handy, the learning is very much academic in nature.

/r
 
  • Like
Reactions: admar
#6
Rick Butler said:
I would say some of that is a bit more than what would be called for on an exam. CompTIA, historically, does not go into how you do something with a particular product, so if you're using SIEMs like SolarWinds and Splunk are going to be pretty specific. So writing rules for these systems are going to be germane to those systems, not common between both. Same situation with IDS/IPS systems. CySA certainly never didn't go that deep. Just needed to know what a SIEM was, who were the major players, why I'd put one in place, and so forth.

Knowing the difference between IPS and IDS systems is a common distinction where CompTIA likes to stick questions. But the contrasts between various IPS/IDS solutions start wading into that vendor-specific pool a bit too much.

So to answer your question, I would have to say your best bet is to read the product documentation for the most popular ones. Much of that is freely available. Watching videos and studying that would help. However, without the software handy, the learning is very much academic in nature.

/r
Click to expand...
I do agree with Rick that doing into vendor specific details gets messy pretty quickly and furthermore exam candidates would have to memorise tons of vendor specific information which may be irrelevant for the job. I have been suffering from this with the Certified Network Defender and I am grateful that CompTIA stays away from that. Please keep it that way.

However, the point @admar makes is valid: We are looking at (generic) firewall rules in some certs, we could and maybe should do the same thing for SIEM rule writing. There is a vendor agnostic, open source language called Sigma for doing so which might be a good candidate for inclusion in the next revision. Have a look at the project website and the Youtube video there: https://github.com/SigmaHQ/sigma .

Cheers,

Andreas
 
You must log in or register to reply here.
Top Bottom
Back
Jump to latest Follow Reply
Jump to latest Follow Reply
Home
Media
Resources
Menu