»Log Hunting with Sigma«
2018-10-17, 09:30–11:30, Echternach - Diekirch

How to create Sigma rules and use them to hunt evil in logs.

Sigma is a generic signature format for description of interesting log events. It provides a structured format in which researchers and analysts can describe and share detection methods. Its main repository contains:

  • a rule specification
  • an open repository for rules (currently 185)
  • a converter that generates queries for a wide range of SIEM systems

Beside the open source repository, further services like a web editor for Sigma rules and other free and commercial repositories are evolving around Sigma.

In this workshop, we will learn how to:

  • Write Sigma rules for log events of analysed threats
  • Generate queries for a supported SIEM and grep command lines with the open converter sigmac
  • Build a custom backend for a new query language
  • Sharing Sigma rules with MISP

Further, we will explore the current and evolving ecosystem around Sigma.

The following prerequisites are recommended for going through the hands-on excercises:

  • Ability to run Docker containers from the Internet
  • Python 3 with dependencies from Sigma