Using Zeek with SIGMA

I’m interested in using Zeek for NSM and SIGMA generated rulesets for SIEMs together. I’d like to hear from anyone about their experience using both together for detection. Any feedback welcomed!

Thanks,

Sigma is awesome to use and works well with Zeek logs in my opinion. I’ve only written a few sigma detections for Zeek but it’s basically the same process as creating any other sigma detection. Identify what fields/values that are of interest in the log and add those as selection criteria in the sigma rule. Additionally you may want to write a sigma log source config to map Zeek to the appropriate fields for the target SIEM. There are some good writes up on how to write sigma rules if you haven’t done so before, I would also add that you will save yourself a lot of head-banging/frustration if you use a text editor that supports a yaml linter like VS code or Atom.

-James

As a quick add to this, we’ve got work in flight to map the Zeek fields in to the Sigma sources. Will be contributing that, so while it isn’t ready yet looking forward to sharing when ready (no ETA yet, sorry - but work is in flight at least).

WOW! Thank you both for the update.

I felt bad that there wasn’t any rules yet in Sigma rule repository for Zeek so I added a rule for Kerberos TGS requests with rc4-hmac cipher yesterday that looks like it got merged. Hopefully you find it helpful.

I’m looking forward to the Corelight team’s contributions to Sigma as well!

-James

Awesome, thanks for the update!