Performance difference, multiple rules vs single rule with same conditions?

Following up on the following thread Rule performance in stream I’d like to pose the question if there is a performance difference between creating multiple event definitions or creating a single event definition with the same query.

In particular I am asking about implementing Sigma rules, which have > 500 rules alone for process_creation events.
Should I be aggregating them into maybe 10 events using OR’s or have 500+ rules?
Is there a performance difference?

Fist of all: as far as I know Graylog will support Sigma-Rules with Graylog 5.0. I don’t know if it will be an enterprise-feature, or not. You might consider waiting for that to be known to save a lot of work.

To answer your question: I would go for 10 events using ORs. Elastic/Opensearch is quite good with long queries, and it saves you a long list of events. But that is more a feeling, I never did benchmarks.

1 Like

Thanks for that. I didn’t know there were plans to directly support Sigma for future releases.
In any case I’m already at a point where I’ve pretty much automated the process from sigma creation to event creation via API so I might as well create a publicly available content pack.

If there are any benchmarks or experiences regarding long queries vs more event definitions please feel free to contribute.


That would be awesome!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.