Graylog2 · StefanAustin · Jan 10, 2025 · Jan 10, 2025
diff --git a/Content/Content Packs/Windows TruKno Sigma Rules Content Pack.html b/Content/Content Packs/Windows TruKno Sigma Rules Content Pack.html
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd">
+    <head> <title>Windows TruKno Sigma Rules Content Pack </title></head>
+    <body>
+        <MadCap:snippetBlock src="../Resources/Snippets/IlluminateBanner.flsnp" />
+        <p>The Windows Sigma Rules content pack is a collection of Sigma rules, selected from TruKno's Threat Detection Marketplace. The rules in this content pack are focused on Windows security threats. They are configured to work directly with existing Windows Illuminate content like Windows, Windows Security, Sysmon and PowerShell.</p>
+        <p>When you enable this content pack, these rules appear on the Sigma Rules page <MadCap:annotation MadCap:createDate="2024-10-09T10:56:39.0692820-08:00" MadCap:creator="AnnieZempel" MadCap:initials="AN" MadCap:comment="Will add link" MadCap:editor="AnnieZempel" MadCap:editDate="2024-10-09T10:56:42.1917310-08:00">in the Security interface</MadCap:annotation>. By default, new rules are disabled. You can select which rules to enable for your environment.</p>
+        <p>
+            <section class="infoBox">
+                <div class="content"><b>Hint</b>:&#160;Be sure to review the alerts before enabling them. Each rule can have a performance cost, depending on your network configuration. These rules come from TruKno, a 3rd party and may or maynot be content of a future Illuminate release. Please copy the rules.</div>
+            </section>
+        </p>
+        <h2>Requirements</h2>
+        <ul>
+            <li>Graylog 6.1+</li>
+            <li>Graylog Security license </li>
+            <li>Windows and/or Windows Security and/or Sysmon and/or Powershell Content Pack</li>
+        </ul>
+        <h2>Stream Configuration</h2>
+        <p>This technology pack uses the stream category:</p>
+        <ul>
+            <li>"windows_logs"</li>
+        </ul>
+        <h2>What is Provided</h2>
+        <p>This content pack includes 77 Sigma rules.</p>
+        <ul>
+            <li>
+                <p>Critical threat level:&#160;0 rule</p>
+            </li>
+            <li>
+                <p>High threat level:&#160;58 rules</p>
+            </li>
+            <li>
+                <p>Medium threat level:&#160;16 rules</p>
+            </li>
+            <li>
+                <p>Low threat level:&#160;3 rules</p>
+            </li>
+        </ul>
+        <p>Each rule includes remediation steps, which display if an alert is triggered based on the Sigma rule. See <a href="https://go2docs.graylog.org/current/what_more_can_graylog_do_for_me/sigma_rules.htm#remediation">Apply Search Filters and Remediation Steps</a> for details.</p>
+        <h2>Configure Sigma Rules</h2>
+        <p>When you enable this content, the new Sigma rules are added to the Sigma Rules page in Graylog. Follow the steps below to enable rules and configure alerts.</p>
+        <ol>
+            <li>
+                <p>Enable your chosen Sigma rules on the Sigma Rules page (<i>Security</i> &gt; <i>Sigma Rules</i>).</p>
+                <p>
+                    <section class="infoBox">
+                        <div class="content"><b>Hint</b>:&#160;To find the Sigma rules added by this content pack, search for <i>Illuminate</i>. All the rules from this pack have titles that begin with <i>Illuminate – Windows-TuKno</i>.</div>
+                    </section>
+                </p>
+                <p>To enable an inactive Sigma rule, click the toggle in the <i>Enabled</i> column.</p>
+                <p>
+                    <section class="infoBox">
+                        <div class="content"><b>Hint</b>:&#160;Be sure to review the alerts before enabling them. Each rule can have a performance cost, depending on your network configuration.</div>
+                    </section>
+                </p>
+            </li>
+            <li>
+                <p>Update rules if necessary. Some rules can result in many false positives and should be adjusted. Click the rule title to open the edit window where you can review the rule definition and other options. However, note that not all options are editable—including the rule definition.</p>
+                <p>If you need to update the rule definition, first clone the rule (select <i>Clone</i> from the <i>More</i> menu). In the cloned rule, you can update any of the fields and options, including the rule definition.</p>
+                <p>See <a href="https://go2docs.graylog.org/current/what_more_can_graylog_do_for_me/sigma_rules.htm">Sigma Rules</a> for complete information about creating and working with Sigma rules.</p>
+            </li>
+            <li>
+                <p>Edit and update the event definition, if necessary. Each Sigma rule has a matching event definition, found on the Event Definitions tab of the Alerts page. For Sigma rules you enable, review the matching event definitions. You can add search filters or alerts as well as custom fields.</p>
+                <p>
+                    <section class="infoBox">
+                        <div class="content"><b>Hint</b>:&#160;When you enable the Sigma rule, the event definition is enabled by default. You can disable the event and any defined alert on the Event Definition page without disabling the Sigma rule.</div>
+                    </section>
+                </p>
+                <p>See <a href="https://go2docs.graylog.org/current/interacting_with_your_log_data/event_definitions.html#Illuminate">Manage Illuminate Events</a> for more information.</p>
+            </li>
+        </ol>
+    </body>
+</html>