Long term list matching

[wlaforest]

Hello all! So i'm one of the maintainers of the Confluent Sigma (apache licensed) which is built to apply sigma rules against streams of data in Kafka in real time. A common pattern that I have seen in the Kafka world is to check events against a massive term list and use that to route data. So the most obvious example of that is an IP or DNS blacklist (or whitelist). Without sigma you could do this easily with a kstreams app or ksql query but I want to be able to apply this in Sigma. Clearly you could embed a long list of terms in a single sigma rule but that obviously will become unwieldy and unscalable quickly. You could also just have separate rules for each term but thats not great either. Ideally what you would want to do is reference a term list in the sigma rule where the term list is an implementation specific construct that you would join against. In the Kafka world this is easy with a ktable against terms in a topic for instance. I may be missing this but is there a syntax to already do this? Thoughts

[Neo23x0]

but I want to be able to apply this in Sigma.

Why?

I always thought that there should be a native way to apply IOCs in every SIEM - e.g. STIX as input.
Using Sigma to apply IOCs feels like using a Porsche to transport fire wood.

[wlaforest]

It would be nice to have a single mechanism that provides a set of rules that specifies behavior. In additional to finding threats in real time another use cases for sigma with Kafka is actually to provide a comprehensive set of rules for routing data to a specific destination. So absolutely I could have a ksql job doing this and then another set of sigma rules for other things but now you have to manage the flow across two different systems. @neu5ron mentioned to me that there was some sort of variable syntax.

[wlaforest]

Also I guess I would add that It would be nice to have a single cross platform way to express a comprehensive rule set. One could easily express a simple term query in splunk or elastic for instance but it doesn't change the value of using sigma as a cross platform vehicle for transmission of observable data rules.