Sigma - Generic Signatures for Log Events

by Thomas Patzke

Log files are a great resource for hunting threats and analysis of incidents. Unfortunately, there is no standardized signature format like YARA for files or Snort signatures for network traffic. This makes sharing of log signatures by security researchers and software developers problematic. Further, most SIEM systems have their own query language, which makes signature distribution in large heterogeneous environments inefficient and increases costs for replacement of SIEM solutions.

Sigma tries to fill these gaps by providing a YAML-based format for log signatures, an open repository of signatures and an extensible tool that converts Sigma signatures into different query languages. Rules and tools were released as open source and are actively developed. This presentation gives an overview about use cases, Sigma rules and the conversion tool, the development community and future plans of the project.

Bio: Thomas Patzke

Thomas Patzke has more than 10 years of experience in the area of information security and currently works at thyssenkrupp CERT. His main job is the discovery of vulnerabilities in applications and products, but he also enjoys working on defensive topics, especially in the area of threat hunting. Thomas likes to create and contribute to open source security tools like Sigma, EQUEL, an ELK configuration for Linux systems, a POODLE exploit and various plugins for the Burp Suite (github.com/thomaspatzke).

He does not have a single certification and is quite proud of it.