Sigma - Generic Signatures for Log Events
Overview
Explore a comprehensive conference talk on Sigma, a generic signature format for log events, presented by Thomas Patzke at Hack.lu 2017. Discover how Sigma addresses the lack of standardization in log signatures, enabling efficient sharing and distribution across heterogeneous environments. Learn about the YAML-based format, open repository of signatures, and the extensible conversion tool that transforms Sigma signatures into various query languages. Gain insights into use cases, rule examples for threat detection, challenges in rule conversion, and the project's development community. Understand the potential impact of Sigma on threat hunting, incident analysis, and SIEM system interoperability. Delve into specific examples of rules for detecting Mimikatz, WCE, webshell reconnaissance, and suspicious login attempts. Explore the current state of the project and future plans for enhancing log-based threat detection and analysis.
Syllabus
Intro
Log Monitoring
Problems!
It's open source!
Rule Format
Rule Example: Mimikatz Detection
WCE Detection
Rule Example: Webshell Reconnaissance Activity
Rule Example: Relevant AV Events
Rule Example: Suspicious Login Attempts
Example: Django Exceptions
Challenges in Rule Conversion
Sigma Converter Configurations
Conversion Process
Backend Implementation: Splunk
Contributors and Community
Current State and Future Work
Questions?
Taught by
Cooper