[Zeek] Using Zeek with SIGMA
James Dickenson
jdickenson at gmail.com
Tue Feb 11 21:32:56 PST 2020
Sigma is awesome to use and works well with Zeek logs in my opinion. I've
only written a few sigma detections for Zeek but it's basically the same
process as creating any other sigma detection. Identify what fields/values
that are of interest in the log and add those as selection criteria in the
sigma rule. Additionally you may want to write a sigma log source config to
map Zeek to the appropriate fields for the target SIEM. There are some
good writes up on how to write sigma rules if you haven't done so before, I
would also add that you will save yourself a lot of
head-banging/frustration if you use a text editor that supports a yaml
linter like VS code or Atom.
-James
On Mon, Feb 10, 2020 at 10:04 AM Terry Leach <terry.leach at astrolytes.com>
wrote:
> I'm interested in using Zeek for NSM and SIGMA generated rulesets for
> SIEMs together. I'd like to hear from anyone about their experience using
> both together for detection. Any feedback welcomed!
>
>
> Thanks,
> --
> Terry Leach
> Astrolytes
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200211/78cf2b13/attachment.html
More information about the Zeek
mailing list