Hello,
Context:
Windows servers send logs to Graylog (Winlogbeat, Sysmon…)
My boss want I use Sigma, but for yet, I don’t understand how to use it.
I have read the documentation…
So, I installed Python3 and do “pip3 install sigmatools”
I downloaded “sigma-master”, so I have lot of yml files.
But what are the manipulations to do on Graylog.
Thank you.
jan
(Jan Doberstein)
2
AFAIK Sigma can output the search that you need to run in Graylog - but not sure about that as I personal did not use that (currently)
1 Like
Yes, I try and have a thing like that:
C:\sigma-master\tools> python sigmac -t graylog -c config\generic\sysmon.yml ..\rules\windows\sysmon\sysmon_mimikatz_detection_lsass.yml**
(EventID:"10" AND TargetImage:"C\:\\windows\\system32\\lsass.exe" AND GrantedAccess:"0x1410")
or
C:\tools>*python sigmac -t graylog -c config\generic\sysmon.yml ..\rules\windows\sysmon\sysmon_susp_rdp.yml
((EventID:"3" AND DestinationPort:"3389") AND NOT (Image:("*\\mstsc.exe" "*\\RTSApp.exe" "*\\RTS2App.exe" "*\\RDCMan.exe" "*\\ws_TunnelService.exe" "*\\RSSensor.exe" "*\\RemoteDesktopManagerFree.exe" "*\\RemoteDesktopManager.exe" "*\\RemoteDesktopManager64.exe" "*\\mRemoteNG.exe" "*\\mRemote.exe" "*\\Terminals.exe" "*\\spiceworks\-finder.exe" "*\\FSDiscovery.exe" "*\\FSAssessment.exe" "*\\MobaRTE.exe" "*\\chrome.exe")))
In my case the problem is the field name… But it’s interesting.
Thank you.
jan
(Jan Doberstein)
4
Those rules insist that you have information extracted in a special way or what is called normalized.
You should check the rules and the sigma reference what fields should hold what content.
system
(system)
Closed
5
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.