2025-10-21 –, Hollenfels
Sigma is an open and generic format to share log detection signatures. In this hands-on workshop we learn how to write good Sigma rules by developing some for existing threats. It will cover simple rules for detection of single events as well as correlation rules for detection of event relationships.
This workshop will cover the following topics:
- Introduction to the Sigma detection format.
- Don't reinvent the wheel: searching existing Sigma rules.
- Developing simple Sigma rules for single events.
- Developing Sigma correlation rules to detect event relationships.
- Validation of Sigma rules.
- Using LLMs to support Sigma rule development.
Thomas has almost 20 years experience in information security and has done lots of stuff in this area, from offensive to defensive security topics. Now he is doing incident response, threat hunting and threat intelligence at the Evonik Cyber Defense Team. Furthermore, he is co-founder of the Sigma project and maintains the open source toolchain (pySigma/Sigma CLI).