Welcome to the DRONE Release Notes blog post series.
Sigma Linux Support - run Sigma rules live on a Linux machine
Events Log Search with Sigma -search system logs and execute Sigma rules
Sigma Linux Support
Running Sigma rules on a live machine is one of the key benefits of DRONE and now it is supported on Linux machines as well. Staying up to date with the latest public Sigma repositories is easy with the Sigma public repository synchronization feature. If there are any new rules available, instead of adding them manually, just use the sync feature and DRONE will automatically support them.
To sync with publicly available Sigma rules and the ones provided in your config file run this command: ./drone --sync-sigma
Automatically all Sigma rules from the SigmaHQ repository will be available in DRONE and you can use them to run either on a live machine.
How to run SIGMA rules in DRONE?
Simple. Run DRONE from the command line and add the following command:
./drone -n -a sla
Events Log Search with Sigma
This analyzer searches Sysmon logs and Auditd logs collected in the running Linux OS and executes Sigma rules on them. In this way you can have wide insight into your network for even a small possibility of a malicious trace.