[Zeek] Using Zeek with SIGMA
Brian Dye
brian at corelight.com
Wed Feb 12 14:33:12 PST 2020
As a quick add to this, we've got work in flight to map the Zeek fields in
to the Sigma sources. Will be contributing that, so while it isn't ready
yet looking forward to sharing when ready (no ETA yet, sorry - but work is
in flight at least).
On Tue, Feb 11, 2020 at 9:34 PM James Dickenson <jdickenson at gmail.com>
wrote:
> Sigma is awesome to use and works well with Zeek logs in my opinion. I've
> only written a few sigma detections for Zeek but it's basically the same
> process as creating any other sigma detection. Identify what fields/values
> that are of interest in the log and add those as selection criteria in the
> sigma rule. Additionally you may want to write a sigma log source config to
> map Zeek to the appropriate fields for the target SIEM. There are some
> good writes up on how to write sigma rules if you haven't done so before, I
> would also add that you will save yourself a lot of
> head-banging/frustration if you use a text editor that supports a yaml
> linter like VS code or Atom.
>
>
> -James
>
> On Mon, Feb 10, 2020 at 10:04 AM Terry Leach <terry.leach at astrolytes.com>
> wrote:
>
>> I'm interested in using Zeek for NSM and SIGMA generated rulesets for
>> SIEMs together. I'd like to hear from anyone about their experience using
>> both together for detection. Any feedback welcomed!
>>
>>
>> Thanks,
>> --
>> Terry Leach
>> Astrolytes
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200212/fca20415/attachment.html
More information about the Zeek
mailing list