Event Correlation using sigma rules

[Sheharyar-Khalid]

Hi,
I am new to sigma and wasn't able to find a lot of documentation for event correlation using sigma rules.
For example
I want to catch the occurrence of two events together, say something like python program spawned chrome program: python-> chrome.

Is this something that can be done via a single rule in the sigma syntax or do we need to chain up rules to this?
Any leads/direction is appreciated!

Thanks,
Sheharyar

[nasbench]

Hi,

If you're looking for a program spawning another program. This can be achieved via a simple SIGMA rule using 2 fields. Image and ParentImage. An example in SIGMA would be:

detection:
   selection:
      ParentImage|endswith: '\python.exe'
      Image|endswith: '\chrome.exe'

If you want to chain the result of 2 alerts then you would require correlation.

You could check the SIGMA specification for the deprecated correlation syntax here.

You could also check some example rules in the repo here

Hope this answers your question.