<div dir="ltr"><div>I felt bad that there wasn't any rules yet in Sigma rule repository for Zeek so I added a rule for Kerberos TGS
requests
with rc4-hmac cipher yesterday that looks like it got merged. Hopefully you find it helpful.<br></div><div dir="ltr"><br></div><div dir="ltr">I'm looking forward to the Corelight team's contributions to Sigma as well! <br></div><div dir="ltr"><br></div><div>-James<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 13, 2020 at 8:02 AM Terry Leach <<a href="mailto:terry.leach@astrolytes.com">terry.leach@astrolytes.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">WOW! Thank you both for the update.<br><div><input name="virtru-metadata" type="hidden" value="{"email-policy":{"state":"closed","expirationUnit":"days","disableCopyPaste":false,"disablePrint":false,"disableForwarding":false,"expires":false,"isManaged":false},"attachments":{}}"></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Feb 12, 2020 at 5:33 PM Brian Dye <<a href="mailto:brian@corelight.com" target="_blank">brian@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">As a quick add to this, we've got work in flight to map the Zeek fields in to the Sigma sources. Will be contributing that, so while it isn't ready yet looking forward to sharing when ready (no ETA yet, sorry - but work is in flight at least).</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 11, 2020 at 9:34 PM James Dickenson <<a href="mailto:jdickenson@gmail.com" target="_blank">jdickenson@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Sigma is awesome to use and works well with Zeek logs in my opinion. I've only written a few sigma detections for Zeek but it's basically the same process as creating any other sigma detection. Identify what fields/values that are of interest in the log and add those as selection criteria in the sigma rule. Additionally you may want to write a sigma log source config to map Zeek to the appropriate fields for the target SIEM. There are some good writes up on how to write sigma rules if you haven't done so before, I would also add that you will save yourself a lot of head-banging/frustration if you use a text editor that supports a yaml linter like VS code or Atom. <br></div><div><br></div><div><br></div><div>-James<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Feb 10, 2020 at 10:04 AM Terry Leach <<a href="mailto:terry.leach@astrolytes.com" target="_blank">terry.leach@astrolytes.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I'm interested in using Zeek for NSM and SIGMA generated rulesets for SIEMs together. I'd like to hear from anyone about their experience using both together for detection. Any feedback welcomed!<br clear="all"><div><div><br></div><div><br></div><div>Thanks,<br></div><div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr">Terry Leach<div>Astrolytes</div></div></div></div></div></div><input name="virtru-metadata" type="hidden" value="{"email-policy":{"state":"closed","expirationUnit":"days","disableCopyPaste":false,"disablePrint":false,"disableForwarding":false,"expires":false,"isManaged":false},"attachments":{}}"></div></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div dir="ltr">Terry Leach<div>Astrolytes</div><div>202-670-0882</div></div></div></div></div></div>
</blockquote></div></div>