Sigma Workshop
2019-10-23, 13:15–16:15, Fischbach

How to create Sigma rules and hunt evil in logs.


Sigma is a generic signature format for description of interesting log events. It provides a
structured format in which researchers and analysts can describe and share detection methods. Its
main repository contains:

  • a rule specification
  • an open repository for rules (currently 185)
  • a converter that generates queries for a wide range of SIEM systems

Beside the open source repository, further services like a web editor for Sigma rules and other free
and commercial repositories are evolving around Sigma.

In this workshop, we will learn how to:

  • Write Sigma rules for log events of analysed threats
  • Generate queries for a supported SIEM and grep command lines with the open converter sigmac
  • Sharing Sigma rules with MISP
  • Using generic log sources to write portable rules
  • Using content modifiers for regular expressions, expression of obfuscation techniques and other advanced stuff.

Further, we will explore the current and evolving ecosystem around Sigma.

The following prerequisites are recommended for going through the hands-on excercises: