Sigma rules

Sigma rules management.

Nybble control stream

Nybble Control Stream

A "Control Stream" is used to broadcast Sigma Rules to all Nybble nodes:

  1. The Source operator retrieve all YAML formatted Sigma rules (with .yml extension) that have been copied in the configured Sigma rules folder. At this time, a mapping file for each rules is automatically created.

  2. The Process operator transform all rules from Source operator and change fields name according to the associated mapping file.

  3. The transformed rules are broadcasted to Nybble nodes and will be matched against incoming events.

A rule will be automatically re-broadcasted after each modification in the Sigma rule file (.yml extension) or in the associated mapping file (.json extension).

Push Sigma rules

To push Sigma rules, connect to Nybble Leader node via SFTP and drag-drop/copy your Sigma rules to the configured "sigma.rules.folder" (By default, $NYBBLE_HOME/rules).