2025-08-05 –, Boardroom
SIGMA rules are an agnostic, text-based, open signature format written in YAML for creating threat detections, developed and open-sourced in 2017 by Florian Roth and Thomas Patzke. The project was conceived to address the challenges facing analysts when sharing and translating rule logic across the various SIEMs and EDRs tools.
I will share with you how I implemented the gift of SIGMAs in our hunting workflow to assist with sniffing out gremlins hiding in the network. I will walk through the SIGMA creation process, sharing tips on how to tackle some of the challenges you might run into in real life when working with SIGMA. Hopefully my story can prove helpful for you, whether you are looking for ways to mature and streamline your hunting programs or just getting started playing around with Sigma.
Training will start with a walk through of what a SIGMA rule is, how they work, and how to construct them. I will show various community resources available on how to get started implementing SIGMA in your environment. I will then cover in detail the workflow for our guided hunt framework, "Gremlin Hunters".
1) How the hunts are developed using the SIGMA rule format, using OSINT and internal research.
2) How rules are inputted into our MISP instance, where we use pySIGMA to process and translate the rules.
3) Show how the rules are then sent over to our ticketing system where they are distributed to the hunting team on a weekly basis.
4) How hunt team uses the translations, tailors to environment, then submits findings (and a prod ready rule if applicable).
Gremlin hunter, kitten and puppy wrangler, snickers fan.
Came into the field of cybersecurity a bit later in life after shifting into the field from a background in philosophy, psychology, and conflict resolution, which have given me a unique perspective.
I enjoy solving puzzles and scavenger hunts, so this kinda work suits me well.
I started in cyber in late 2016 and have been working in the field ever since. I have worked for a few state government agencies doing a bit of everything, security administration, awareness training, vulnerability testing, and incident response. I moved to the private sector and I am now working for a company that supports both public and private sector customers.
My roles have included SOC analyst tier I and II, and now I work with my company's Cyber Threat Intelligence team as a cyber threat analyst and cybersecurity content engineer.
Nicholas Carroll is a seasoned cybersecurity professional with a career spanning over two decades. He currently serves as a Manager of Cyber Incident Response with Nightwing, leading a team of cyber threat intelligence and DFIR professionals defending Fortune 500 organizations and government agencies. Prior to this, he held the position of CISO for a state government agency, overseeing election cyber projects. His journey in IT and cybersecurity began at the help desk, providing him with a broad perspective on the field. But his skills earned in jobs outside of IT and cyber helped craft the success he has today. He is also a certified cybersecurity instructor, demonstrating his commitment to continuous learning and knowledge sharing to help grow the field.