2024-10-22 –, Vianden & Wiltz
Log events appear differently in SIEMs. There are plenty of different taxonomies, possibilities for customization or just migration scenarios that make it challenging to generate queries from Sigma rules that match on events in given log repositories. Processing pipelines are a feature of the open source Sigma toolchain that offer a solution for these challenges and this session is about some real-world use cases for them.
The Sigma project offers thousands of open source detection rules that can be used to conduct threat hunting and detection. But before this can be done the conversion tool has to be configured properly to generate queries that match on the given data model in the used SIEM or EDR. pySigma processing pipelines offer a feature-rich YAML-based language for this purpose that allows a wide range of transformations like:
- simple field mappings
- value transformation with regular expressions
- Addition of conditions
- Handling of placeholders
- conditional Jinja2-based templating
Transformations can be applied conditionally to rules with specific attributes or detection items that match a given pattern.
In this hands-on session you will learn some common use cases for processing pipelines and have the opportunity to discuss real-world challenges you encountered while operationalization of Sigma rules in your environment.
Thomas has 18 years experience in information security and has done lots of stuff in this area, from offensive to defensive security topics. Now he is doing incident response, threat hunting and threat intelligence at the Evonik Cyber Defense Team. Furthermore, he is co-founder of the Sigma project and maintains the open source toolchain (pySigma/Sigma CLI).