Following up on the following thread Rule performance in stream I’d like to pose the question if there is a performance difference between creating multiple event definitions or creating a single event definition with the same query.
In particular I am asking about implementing Sigma rules, which have > 500 rules alone for process_creation events.
Should I be aggregating them into maybe 10 events using OR’s or have 500+ rules?
Is there a performance difference?
Fist of all: as far as I know Graylog will support Sigma-Rules with Graylog 5.0. I don’t know if it will be an enterprise-feature, or not. You might consider waiting for that to be known to save a lot of work.
To answer your question: I would go for 10 events using ORs. Elastic/Opensearch is quite good with long queries, and it saves you a long list of events. But that is more a feeling, I never did benchmarks.
Thanks for that. I didn’t know there were plans to directly support Sigma for future releases.
In any case I’m already at a point where I’ve pretty much automated the process from sigma creation to event creation via API so I might as well create a publicly available content pack.
If there are any benchmarks or experiences regarding long queries vs more event definitions please feel free to contribute.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.