The new Sigma Toolchain
10-18, 14:00–16:00 (Europe/Luxembourg), Hollenfels

pySigma and Sigma CLI are complete rewrites of the legacy sigmatools and sigmac projects, which will be retired at the end of the year. In this workshop you will learn the new concepts introduced and how these new tools can be used and extended by new target query languages.

This workshop aims to give an introduction to the new Sigma Python toolchain, pySigma (the library) and Sigma CLI (converter, rule checker, ATT&CK heatmap generator, ...). I will give a brief introduction to some important concepts like plugins, backends and processing pipelines and continue with hands-on exercises:

  • Discover and install backends and pipelines required for conversion.
  • Basic conversion of queries.
  • Building own processing pipelines (e.g. field name mappings).
  • Rule checking
  • Creating a MITRE™️ATT&CK heatmap from a rule set.
  • Creating backends with the cookiecutter template.

Thomas has more than 15 years experience in various areas of information security. He started as consultant, then developed into offensive security and switched to defensive topics. Now he's incident responder, threat hunter and does some threat intelligence at the Evonik Cyber Defense Team.

Thomas doesn't holds a single infosec certification, so no list of three-to-four-upper-cased-letter-combinations here. Instead he focuses on building open source security tools and is one of the co-founders and a core maintainer of the Sigma project.

This speaker also appears in: