Sigma and Graylog

Hello,

Context:
Windows servers send logs to Graylog (Winlogbeat, Sysmon…)

My boss want I use Sigma, but for yet, I don’t understand how to use it.

I have read the documentation…

So, I installed Python3 and do “pip3 install sigmatools”

I downloaded “sigma-master”, so I have lot of yml files.

But what are the manipulations to do on Graylog.

Thank you.

AFAIK Sigma can output the search that you need to run in Graylog - but not sure about that as I personal did not use that (currently)

1 Like

Yes, I try and have a thing like that:

C:\sigma-master\tools> python sigmac -t graylog -c config\generic\sysmon.yml ..\rules\windows\sysmon\sysmon_mimikatz_detection_lsass.yml**

(EventID:"10" AND TargetImage:"C\:\\windows\\system32\\lsass.exe" AND GrantedAccess:"0x1410")

or

C:\tools>*python sigmac -t graylog -c config\generic\sysmon.yml ..\rules\windows\sysmon\sysmon_susp_rdp.yml

((EventID:"3" AND DestinationPort:"3389") AND NOT (Image:("*\\mstsc.exe" "*\\RTSApp.exe" "*\\RTS2App.exe" "*\\RDCMan.exe" "*\\ws_TunnelService.exe" "*\\RSSensor.exe" "*\\RemoteDesktopManagerFree.exe" "*\\RemoteDesktopManager.exe" "*\\RemoteDesktopManager64.exe" "*\\mRemoteNG.exe" "*\\mRemote.exe" "*\\Terminals.exe" "*\\spiceworks\-finder.exe" "*\\FSDiscovery.exe" "*\\FSAssessment.exe" "*\\MobaRTE.exe" "*\\chrome.exe")))

In my case the problem is the field name… But it’s interesting.

Thank you.

Those rules insist that you have information extracted in a special way or what is called normalized.

You should check the rules and the sigma reference what fields should hold what content.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.