How to write Sigma rules for mixed event detection with different log sources?

[dardigit]

Hello,
I am trying to create Sigma rules to detect a scenario involving 3 events:

Event 1: Windows Security Event 4688
Event 2: Sysmon Event 1
Event 3: Windows Security Event 4624

The detection logic I want is:
(Event 1 OR Event 2) AND Event 3

My problem is that Event 1 and Event 3 come from the same log source (Windows Security), so I can write a Sigma rule combining those two. But Event 2 is from a different log source (Sysmon), and Sigma only supports one log source per rule. This means I cannot combine Event 2 and Event 3 in one rule.

How can I implement the above logic in Sigma?
Is it even possible? Or should I handle the correlation of these events outside of Sigma rules (for example, in the SIEM)?
Are there any recommended approaches or best practices for this type of multi-source event correlation?

Thank you!

Below is an example of how I wanted to implement it.

action: global
title: Example combined detection
description: Detection of events 4688 or Sysmon event 1, and event 4624
status: experimental
author: Name
level: high
references:

• https://example.com/reference

---

logsource:
product: windows
service: security
detection:
selection_4688:
EventID: 4688
selection_4624:
EventID: 4624
condition: (selection_4688 or selection_4624)

logsource:
product: windows
service: sysmon
detection:
selection_1:
EventID: 1
condition: selection_1 #???

[nasbench]

You simply use correlations https://blog.sigmahq.io/introducing-sigma-correlations-52fe377f2527
https://sigmahq.io/docs/meta/correlations.html

Also i suggest you read the specs of sigma in order to have an overview of its capabilities. As correlations were introduced over a year ago.

[dardigit]

Thank you! I will look into this.

[nasbench]

Dont hesitate to ask if you have questions about the syntax or how to implement an idea. We're here to help