[Zeek] Using Zeek with SIGMA

Terry Leach terry.leach at astrolytes.com
Thu Feb 13 12:30:06 PST 2020 

Awesome, thanks for the update!

On Thu, Feb 13, 2020, 11:45 James Dickenson <jdickenson at gmail.com> wrote:

> I felt bad that there wasn't any rules yet in Sigma rule repository for
> Zeek so I added a rule for Kerberos TGS requests  with rc4-hmac cipher
> yesterday that looks like it got merged.  Hopefully you find it helpful.
>
> I'm looking forward to the Corelight team's contributions to Sigma as
> well!
>
> -James
>
> On Thu, Feb 13, 2020 at 8:02 AM Terry Leach <terry.leach at astrolytes.com>
> wrote:
>
>> WOW! Thank you both for the update.
>>
>> On Wed, Feb 12, 2020 at 5:33 PM Brian Dye <brian at corelight.com> wrote:
>>
>>> As a quick add to this, we've got work in flight to map the Zeek fields
>>> in to the Sigma sources. Will be contributing that, so while it isn't ready
>>> yet looking forward to sharing when ready (no ETA yet, sorry - but work is
>>> in flight at least).
>>>
>>> On Tue, Feb 11, 2020 at 9:34 PM James Dickenson <jdickenson at gmail.com>
>>> wrote:
>>>
>>>> Sigma is awesome to use and works well with Zeek logs in my opinion.
>>>> I've only written a few sigma detections for Zeek but it's basically the
>>>> same process as creating any other sigma detection.  Identify what
>>>> fields/values that are of interest in the log and add those as selection
>>>> criteria in the sigma rule. Additionally you may want to write a sigma log
>>>> source config to map Zeek to the appropriate fields for the target SIEM.
>>>> There are some good writes up on how to write sigma rules if you haven't
>>>> done so before, I would also add that you will save yourself a lot of
>>>> head-banging/frustration if you use a text editor that supports a yaml
>>>> linter like VS code or Atom.
>>>>
>>>>
>>>> -James
>>>>
>>>> On Mon, Feb 10, 2020 at 10:04 AM Terry Leach <
>>>> terry.leach at astrolytes.com> wrote:
>>>>
>>>>> I'm interested in using Zeek for NSM and SIGMA generated rulesets for
>>>>> SIEMs together.  I'd like to hear from anyone about their experience using
>>>>> both together for detection. Any feedback welcomed!
>>>>>
>>>>>
>>>>> Thanks,
>>>>> --
>>>>> Terry Leach
>>>>> Astrolytes
>>>>> _______________________________________________
>>>>> Zeek mailing list
>>>>> zeek at zeek.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>>
>>
>> --
>> Terry Leach
>> Astrolytes
>> 202-670-0882
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200213/f4f862e7/attachment.html

More information about the Zeek mailing list