[Zeek] Using Zeek with SIGMA
James Dickenson
jdickenson at gmail.com
Thu Feb 13 08:45:39 PST 2020
I felt bad that there wasn't any rules yet in Sigma rule repository for
Zeek so I added a rule for Kerberos TGS requests with rc4-hmac cipher
yesterday that looks like it got merged. Hopefully you find it helpful.
I'm looking forward to the Corelight team's contributions to Sigma as well!
-James
On Thu, Feb 13, 2020 at 8:02 AM Terry Leach <terry.leach at astrolytes.com>
wrote:
> WOW! Thank you both for the update.
>
> On Wed, Feb 12, 2020 at 5:33 PM Brian Dye <brian at corelight.com> wrote:
>
>> As a quick add to this, we've got work in flight to map the Zeek fields
>> in to the Sigma sources. Will be contributing that, so while it isn't ready
>> yet looking forward to sharing when ready (no ETA yet, sorry - but work is
>> in flight at least).
>>
>> On Tue, Feb 11, 2020 at 9:34 PM James Dickenson <jdickenson at gmail.com>
>> wrote:
>>
>>> Sigma is awesome to use and works well with Zeek logs in my opinion.
>>> I've only written a few sigma detections for Zeek but it's basically the
>>> same process as creating any other sigma detection. Identify what
>>> fields/values that are of interest in the log and add those as selection
>>> criteria in the sigma rule. Additionally you may want to write a sigma log
>>> source config to map Zeek to the appropriate fields for the target SIEM.
>>> There are some good writes up on how to write sigma rules if you haven't
>>> done so before, I would also add that you will save yourself a lot of
>>> head-banging/frustration if you use a text editor that supports a yaml
>>> linter like VS code or Atom.
>>>
>>>
>>> -James
>>>
>>> On Mon, Feb 10, 2020 at 10:04 AM Terry Leach <terry.leach at astrolytes.com>
>>> wrote:
>>>
>>>> I'm interested in using Zeek for NSM and SIGMA generated rulesets for
>>>> SIEMs together. I'd like to hear from anyone about their experience using
>>>> both together for detection. Any feedback welcomed!
>>>>
>>>>
>>>> Thanks,
>>>> --
>>>> Terry Leach
>>>> Astrolytes
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>
> --
> Terry Leach
> Astrolytes
> 202-670-0882
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200213/9f211ada/attachment-0001.html
More information about the Zeek
mailing list