10-25, 10:45–11:15 (Europe/Luxembourg), Europe - Main Room
Sigma is a well-known generic detection rule format in the cybersecurity landscape. While this free, open-source project is very active and offers a wide range of features, its implementation is challenging, and especially for MSSPs. At CERT-EU, we serve the 90 European Union institutions, bodies, offices and agencies (Union entities) and we strive to deliver the best possible services to them. This is why we relentlessly try to enhance the detection capabilities of our Security Log Monitoring Service.
To this endeavour, we created droid, a tool that we specifically built to introduce Detection-as-Code in our environment. In the spirit of fostering a culture of collective progress, we released droid as our take to facilitate the ingestion of Sigma rules for any organisation.
In this talk, we will mainly talk about how we implemented Sigma in a practical way and about droid that unlocks the following use cases:
- Detection content versioning
- Vendor agnostic approach
- Cross-tool detection content
- Testing and validating detection rules, by taking advantage of Atomic Red Team
- Automation of exporting the rules to multiple SIEMs and EDRs.
The tool is under development and we aim at adding more platforms and testing features.
Mathieu is a member of CERT-EU's Digital Forensics and Incident Response team. He has two hats: respond to security incidents, including significant ones, and engineer CERT-EU's detection strategy. He was a speaker at the 36th Annual FIRST Conference.