Sigma Rules Bot for Threat Bounty 

[post-views]
November 30, 2022 · 7 min read
Sigma Rules Bot for Threat Bounty: Step-by-Step Guidelines

How to Create, Test & Have Your Sigma Rules Published to SOC Prime’s Platform via Slack

SOC Prime has recently announced the launch of Sigma Rules Bot for Threat Bounty, which is now available in the Slack App Directory. Leveraging the app, both new and seasoned threat researchers who contribute to the SOC Prime Threat Bounty Program can now seamlessly create new Sigma rules, test and verify them, and get them published to the SOC Prime Platform directly in Slack. The Sigma Rules Bot makes the process of Sigma rules submissions simpler and faster for Threat Bounty Program members providing on-the-fly code validation with automated checks and instant feedback from the SOC Prime content experts.

Start Now via Slack

App Installation

You can install Sigma Rules Bot for Threat Bounty right from the Threat Bounty Program webpage:

  1. Go to https://my.socprime.com/tdm-developers/.
  2. Scroll to the Sigma Rules Bot Bot section.
  3. Click the Add to Slack button.

Note: Installation of the new Slack Applications may be limited by your Slack workspace settings. If so, contact the Administrator of your Slack workspace. 

Getting Started

To get started, you should pass authentication. Use the token provided by the SOC Prime representative for authentication as suggested in the authentication form. Tokens are provided upon request to the verified members of the Threat Bounty Program who have an active account at the Threat Bounty Developer Portal. If you don’t have a registered Threat Bounty Program account, you will need to sign up to be able to receive the authentication token. To learn more about the membership acceptance criteria and the process explained in detail, please refer to the First Steps to Monetizing Your Detection Engineering Skills.

Sigma Rules Bot for Threat Bounty token

Creating & Managing Your Sigma Rules

Leveraging Sigma Rules Bot for Threat Bounty, detection content authors can:

  • Create Sigma rules directly in Slack. Threat Bounty Program developers can create Sigma rules from scratch directly in Sigma Rules Bot in Slack or copy and paste the existing rule code from the text or code editors.
  • Improve your rules based on smart suggestions of the automated built-in Sigma checks. While creating your rules, you can get them checked for syntax errors, common mistakes, and plagiarism if the code has potential similarities with the already existing Sigma rules. The check returns errors or warnings, prompting the author to improve their code to ensure detection content quality.
  • Submit your Sigma rules for review by SOC Prime Team. Before publication to the SOC Prime Platform, all detection content submitted via the Threat Bounty Program undergoes verification and validation by SOC Prime detection content experts. If the rule needs more improvements, the SOC Prime representatives will contact the content author to discuss the suggested updates.
  • Discuss possible improvements to your Sigma rule submitted for review by the SOC Prime Team representative in a dedicated thread. Now, while reviewing the submitted Sigma rules, the SOC Prime content expert may initiate a chat with the developer linked to the rule to discuss possible improvements to the rule code. The content author can communicate with the SOC Prime representative in the open thread chat until SOC Prime closes the conversation. When the conversation is closed, the developer’s messages are no longer delivered to the SOC Prime content expert.
  • Add updates to your Sigma rules already published to the SOC Prime’s Detection as Code platform. Content authors can also keep their earlier published detections up to date by adding relevant updates to the detection code or linked metadata. 

Create Sigma Rules

  1. Select the Sigma Type.
  2. Insert the Sigma rule code in the YAML format.

Note: When creating a Sigma rule, please remember that your detection should be in a valid YAML format. Make sure to use valid indentation and the accepted special characters.

  1. To check the Sigma rule code for syntax errors, common mistakes, and plagiarism issues, click the Scan button.
  2. If the built-in check finds any errors or warnings in the Sigma rule code, you will see a detailed message with the corresponding issue description. 
  3. Make improvements to the rule code, insert the updated version into the Input sigma field, and click the Test and Save button.
  4. You can further click the Scan button to perform another automated check.
  5. To run a final code check and submit the rule for review by the SOC Prime Team representative, click the Scan and Send for Review button.

Create a new rule via Sigma Rules Bot for Threat Bounty

You can also apply the /Create Rule shortcut to streamline operations with the app.

Edit Sigma Rules

To find the existing Sigma rule code you want to update:

  1. Enter the rule case name in the corresponding field.
  2. Enter the rule case ID.
  3. Click Submit.

You can also apply the /Edit Rule shortcut to streamline operations with the app.

View the List of Your Sigma Rules

To search for the entire list of your Sigma rules, no matter their status (including published ones, rules on review, and drafts), select the My Rules button from the Home tab of Sigma Rules Bot for Threat Bounty in your Slack workspace.

View the list of your detections via Sigma Rules Bot for Threat Bounty via

Alternatively, you can apply the /Search shortcut to streamline operations with the app.

Using Global Built-in Shortcuts

Global shortcuts allow performing certain actions with Sigma Rules Bot for Threat Bounty by simply sending a message in Slack. 

  1. Type a / forward slash in any conversation to view the list of available slash commands.
  2. Select Sigma Rules Bot for Threat Bounty from the list of options.
  3. Select the corresponding shortcut option matching the operation you need to perform.

Available shortcuts:

/
Start  to authenticate with Sigma Rules Bot for Threat Bounty
Create Rule to create a new Sigma rule
Search  to find your previously published Sigma rules
Edit Rule  to edit your previously published Sigma rules

SOC Prime Content Review

All Sigma rules published to the SOC Prime Platform via Threat Bounty Program undergo validation by SOC Prime content experts. If the rule quality doesn’t meet the acceptance criteria, it is returned to the author for improvement before the next iteration of the review. To ensure your Sigma rule is good enough for publication to the SOC Prime Platform, please refer to the Threat Bounty Program Terms and submit content which should be:

  • Your original work
  • NOT previously published on open-source repositories (e.g., GitHub) or other resources including SOC Prime
  • Fully operative — including correct detection logic, proper syntax, relevant description, etc. 
  • Include relevant MITRE ATT&CK tagging and have references to open-source information related to the detected activity

Needless to mention that content suggested for publication for monetization on SOC Prime Platform should be based on generic sources and must not violate any Intellectual Property rights of any third party.

Threat Bounty Program members monetize their Detection Engineering skills with SOC Prime by publishing detections that earn them cash throughout the rule lifetime value. Participation in the Threat Bounty Program is also a brilliant opportunity to master professional skills and enable acquired Sigma and ATT&CK expertise and practical experience to translate into a real CV. With expert feedback from SOC Prime, content developers can add the most professional demonstration of their Detection Engineering skills to their CV and gain professional recognition among industry peers. 

Eager to make your contribution to collective cyber defense and have your content published to be used by 8k+ organizations worldwide, including companies from Fortune 100, Global 500, and Global 2000? Tap into the SOC Prime Threat Bounty Program to share your own Sigma rules with the global cyber defender community, monetize your input, and boost your professional reputation.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts