»Log Hunting with Sigma«
2018-10-17, 09:30–11:30, Echternach - Diekirch
How to create Sigma rules and use them to hunt evil in logs.
Sigma is a generic signature format for description of interesting log events. It provides a structured format in which researchers and analysts can describe and share detection methods. Its main repository contains:
- a rule specification
- an open repository for rules (currently 185)
- a converter that generates queries for a wide range of SIEM systems
Beside the open source repository, further services like a web editor for Sigma rules and other free and commercial repositories are evolving around Sigma.
In this workshop, we will learn how to:
- Write Sigma rules for log events of analysed threats
- Generate queries for a supported SIEM and grep command lines with the open converter sigmac
- Build a custom backend for a new query language
- Sharing Sigma rules with MISP
Further, we will explore the current and evolving ecosystem around Sigma.
The following prerequisites are recommended for going through the hands-on excercises:
- Ability to run Docker containers from the Internet
- Python 3 with dependencies from Sigma