Threat Hunting with Sigma Rules: Using Logs, Alerts, and Behavior to Detect APTs & TTPs

Webinar Registration

Today’s attacks are growing more sophisticated and successful. What was once accomplished using lots of custom malware is increasingly handled by living off the land, leveraging the very same tools you use to manage your IT environment. Because of this, many organizations have shifted to using Endpoint Detection and Response (EDR) solutions that focus on endpoint behavior rather than signature-based detection to identify threats.

In recent years, more and more organizations, threat intel providers, and even governments (NCSC & CISA are two great examples) are sharing technical indicators and detailed reports on high impact attacks. These reports contain the standard set of Snort, Suricate, and Yara rules to detect emerging threats, but also share lots of tools, tactics, and procedures (TTPs) that these attackers use (which are often found within the MITRE ATT&CK Framework).

The challenge today is that there is no easy way of sharing these behavioral indicators. There are threat intelligence sharing standards like MISP, STIX, TAXII, CybOX, but not everyone has the infrastructure or talent to operate and maintain these.

A few years back, Sigma rules were born.

Sigma is to logs as Snort is to network traffic and Yara is to malware – Snort is a generic data structure that can be used to describe a set of logs, alerts, and behaviors that can be found in log files. The use of Sigma rules makes it efficient to write, share, and distribute technical indicators of threats. Most importantly, Sigma rules can be automatically converted to the correct rule and syntax for your SIEM, increasing the speed and accuracy of your SIEM-based detections.

In this real-training-for-free session, Microsoft MVP and cybersecurity expert Nick Cavalancia takes my seat, and will first discuss:

  • The state of threat intelligence sharing
  • A primer on Sigma Rules – from creation to use
  • How Sigma Rules fit into your cybersecurity strategy

Nick will then be joined by Kev Breen, Director Cyber Threat Research at Immersive Labs who will simulate an emulated APT attack that uses non-malware techniques to laterally move across a network. With access to all the logs from these devices in a central SIEM solution, Kev will demonstrate the following:

  • Using public sigma rules to query the SIEM to identify malicious behavior that may have been missed
  • Writing custom sigma rules specific to an attack scenario that can be run periodically to threat hunt any future attacks of the same nature

This real training for free event will be jam packed with technical detail and real-world application. Register today!

First Name:   
Last Name:   
Work Email:  
Job Title:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources