2019-10-23, 13:15–16:15, Fischbach
How to create Sigma rules and hunt evil in logs.
Sigma is a generic signature format for description of interesting log events. It provides a
structured format in which researchers and analysts can describe and share detection methods. Its
main repository contains:
- a rule specification
- an open repository for rules (currently 185)
- a converter that generates queries for a wide range of SIEM systems
Beside the open source repository, further services like a web editor for Sigma rules and other free
and commercial repositories are evolving around Sigma.
In this workshop, we will learn how to:
- Write Sigma rules for log events of analysed threats
- Generate queries for a supported SIEM and grep command lines with the open converter sigmac
- Sharing Sigma rules with MISP
- Using generic log sources to write portable rules
- Using content modifiers for regular expressions, expression of obfuscation techniques and other advanced stuff.
Further, we will explore the current and evolving ecosystem around Sigma.
The following prerequisites are recommended for going through the hands-on excercises:
- A Unix environment
- Ability to run Docker containers from the Internet
- Python >= 3.6 with dependencies from Sigma
- The cloned Sigma workshop repository: https://github.com/thomaspatzke/sigma-workshop (pull updates short before workshop!)
- A MISP instance that can be used for test events (I recommend MISP-dockerized from DCSO: https://github.com/DCSO/MISP-dockerized)