Detection Engineering with Sigma will teach you how to write and tune Sigma rules to find evil in logs using real-world examples that take you through the detection engineering process. We’ll dissect real Sigma detection rules focused on finding a variety of malicious activity in diverse log sources. Once you have a good handle on these components, you’ll start writing and tuning your own rules in a series of case studies. In some case studies, I’ll describe a detection gap and you’ll write a rule on your own before I show you how I tackled the problem myself. In other scenarios, you’ll write or modify a rule on your own and submit it to me for feedback. In this course, you are never alone! I will be with you 100% of the way to help you understand the structure of Sigma rules, how to get from idea to finished rule, and best practices for writing resilient rules.
Syllabus
- The detection engineering process from initial detection gap identification to deploying your rule.
- The structure of Sigma rules, including the difference between lists and maps, how condition expressions work, and all the essential metadata that’ll be useful for investigating alerts it generates.
- How to use the SOC Prime Sigma UI plugin for Kibana to develop rules with a graphical editor.
- Sigmac usage to convert rules to popular investigation and detection tool formats like Splunk, ELK, and others.
- How to write resilient rules that find more evil, stand the test of time, and cause headaches for adversaries.
- How to write your own detection rules using familiar log sources like Windows Events, Zeek Logs, Sysmon Logs, AWS CloudTrail logs, and more.
- Guidelines and best practices for developing Sigma rules you can share with third parties, including the public Sigma rule repository.
- The principles of detection as code with a tutorial on managing your custom ruleset with Git.
- Tips and tricks for using Sigma and its tools on the command line.
- How to leverage popular Sigma integrations like Security Onion Playbook.
