[Zeek] Using Zeek with SIGMA
Terry Leach
terry.leach at astrolytes.com
Thu Feb 13 08:02:15 PST 2020
WOW! Thank you both for the update.
On Wed, Feb 12, 2020 at 5:33 PM Brian Dye <brian at corelight.com> wrote:
> As a quick add to this, we've got work in flight to map the Zeek fields in
> to the Sigma sources. Will be contributing that, so while it isn't ready
> yet looking forward to sharing when ready (no ETA yet, sorry - but work is
> in flight at least).
>
> On Tue, Feb 11, 2020 at 9:34 PM James Dickenson <jdickenson at gmail.com>
> wrote:
>
>> Sigma is awesome to use and works well with Zeek logs in my opinion.
>> I've only written a few sigma detections for Zeek but it's basically the
>> same process as creating any other sigma detection. Identify what
>> fields/values that are of interest in the log and add those as selection
>> criteria in the sigma rule. Additionally you may want to write a sigma log
>> source config to map Zeek to the appropriate fields for the target SIEM.
>> There are some good writes up on how to write sigma rules if you haven't
>> done so before, I would also add that you will save yourself a lot of
>> head-banging/frustration if you use a text editor that supports a yaml
>> linter like VS code or Atom.
>>
>>
>> -James
>>
>> On Mon, Feb 10, 2020 at 10:04 AM Terry Leach <terry.leach at astrolytes.com>
>> wrote:
>>
>>> I'm interested in using Zeek for NSM and SIGMA generated rulesets for
>>> SIEMs together. I'd like to hear from anyone about their experience using
>>> both together for detection. Any feedback welcomed!
>>>
>>>
>>> Thanks,
>>> --
>>> Terry Leach
>>> Astrolytes
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
--
Terry Leach
Astrolytes
202-670-0882
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200213/e742518f/attachment.html
More information about the Zeek
mailing list