Skip to main content

Morio v0.11.0

· 3 min read
Joost De Cock
Joost De Cock
Morio Maintainer

We have released version 0.11.0 of Morio, a new minor release that is not focussed on bringing new features, but instead is a refactor of some of our API code to clean and harden Morio.

This includes several breaking changes, so this seems like a good time to remind people that we are both in alpha and version 0.x, which means that the guarantees of semantic versioning do not apply.

Initial support for native Sigma detection support

While new features were not the focus of this release, it does contain our intial work for bringing native support for Sigma detections to Morio.

This is currently in the it compiles state, we have not gotten around to testing this with real-world data. But it seemed meaningful to mention it as it indicates the direction we are heading.

Sigma is a vendor-agnostic detection format that allows people to write rules to detect various things in (typically) their logs. Sigma is not merely a detection format, it also comes with so-called backends that can transate those rules into specific query language for a SIEM like Elasticsearh or Splunk.

That's the high-level idea. There's a lot of caveats here for this to actually work, but the goal of allowing detection engineers to write detections in a vendor-agnostic way is a worthy endeavour, and something we want to support. Morio is also vendor-agnostic, so we feel it is a natural fit.

However, we cannot really implement a sigma backend for Morio. Because these backends take sigma rules as input, and generated query language for a specific SIEM from it. Then, you take those queries and run them on your SIEM.

info

There's a whole bunch of adjacent tooling to reduce friction in these various steps, our colleagues' DROID project is one of them.

Since Morio is not a SIEM, this backend approach doesn't work for us. What queries would we generate? Where would we even run them?

Our ideal scenario looks like this:

  • Step 1: Write your Sigma detection rule
  • Step 2: Morio does the rest

So that's what we're working towards. You point Morio to your git repository of Sigma rules, and it will transform them into detection logic that can be loaded in Morio's tap service to unlock real-time stream processing detections based on your Sigma rules.

This will certainly require more work before it becomes a viable way to run your detections. And some detections that rely on ontext windows may never be supported, but it's an exciting idea and we're working on it.