Sigma

Velociraptor has a built in Sigma rule evaluator, implemented with the sigma() plugin. Sigma is an open standard for writing detection rules, with the Velociraptor implementation described here

Sigma rules rely on a log source, which in Velociraptor is a VQL query. The rules also define detection clauses which apply on the events emitted from the log source.

When a Sigma artifact is collected, the rules are loaded into the sigma evaluator, and all log sources referred to by the rules are started.

If multiple rules use the same log source, the Sigma plugin evaluates each event emitted from the log source against all the rules using that log source. This means that adding more detection rules to the same log source pose no additional processing requirement since all the rules are evaluated against the same log source.

Only by adding rules that refer to other log sources, does the sigma plugin start new queries. This way it is pretty efficient to load thousands of rules at the same time.

The Sigma profile shows this relationship clearly. The above example was taken on a system that is running the live Sigma rules using the Windows.Hayabusa.Monitoring artifact.

We see that the Sigma engine has 4133 rules loaded. The Sysmon log source has 2057 rules following it. During the life of the process, 772 events were evaluated through those 2057 rules in 31 seconds (This works out to about 20us per rule). The artifact was running for 4.5 hours at this time, so 31 seconds amortized over this time is reasonable. Note also that different log sources are evaluated on different cores so on multi core systems, the performance impact is minimal.

We also see the Raw Access Read rule fired 129 times. This might indicate that the rule requires tuning, perhaps to add an allow list, since it seems to have a lot of false positives.