[Zeek] Using Zeek with SIGMA

James Dickenson jdickenson at gmail.com
Thu Feb 13 08:45:39 PST 2020


I felt bad that there wasn't any rules yet in Sigma rule repository for
Zeek so I added a rule for Kerberos TGS requests  with rc4-hmac cipher
yesterday that looks like it got merged.  Hopefully you find it helpful.

I'm looking forward to the Corelight team's contributions to Sigma as well!

-James

On Thu, Feb 13, 2020 at 8:02 AM Terry Leach <terry.leach at astrolytes.com>
wrote:

> WOW! Thank you both for the update.
>
> On Wed, Feb 12, 2020 at 5:33 PM Brian Dye <brian at corelight.com> wrote:
>
>> As a quick add to this, we've got work in flight to map the Zeek fields
>> in to the Sigma sources. Will be contributing that, so while it isn't ready
>> yet looking forward to sharing when ready (no ETA yet, sorry - but work is
>> in flight at least).
>>
>> On Tue, Feb 11, 2020 at 9:34 PM James Dickenson <jdickenson at gmail.com>
>> wrote:
>>
>>> Sigma is awesome to use and works well with Zeek logs in my opinion.
>>> I've only written a few sigma detections for Zeek but it's basically the
>>> same process as creating any other sigma detection.  Identify what
>>> fields/values that are of interest in the log and add those as selection
>>> criteria in the sigma rule. Additionally you may want to write a sigma log
>>> source config to map Zeek to the appropriate fields for the target SIEM.
>>> There are some good writes up on how to write sigma rules if you haven't
>>> done so before, I would also add that you will save yourself a lot of
>>> head-banging/frustration if you use a text editor that supports a yaml
>>> linter like VS code or Atom.
>>>
>>>
>>> -James
>>>
>>> On Mon, Feb 10, 2020 at 10:04 AM Terry Leach <terry.leach at astrolytes.com>
>>> wrote:
>>>
>>>> I'm interested in using Zeek for NSM and SIGMA generated rulesets for
>>>> SIEMs together.  I'd like to hear from anyone about their experience using
>>>> both together for detection. Any feedback welcomed!
>>>>
>>>>
>>>> Thanks,
>>>> --
>>>> Terry Leach
>>>> Astrolytes
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>
> --
> Terry Leach
> Astrolytes
> 202-670-0882
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200213/9f211ada/attachment-0001.html 


More information about the Zeek mailing list