Authors: Roberto Martinez (Kaspersky, GReAT Mexico) and Ido Naor (Kaspersky, GReAT Israel)



Time: 4 hours

During every Incident Response, a Responder is required to have an arsenal of Swiss knives in different kinds and shapes in order to extract the most relevant evidence for later analysis. When it comes to network traffic Snort is a must have, similarly to search in files with Yara. But when it comes to logs, events and other artifacts resting inside operating system’s chambers a different tool is required. For that task, the Responder should have a ready-to-launch Sigma. In this short workshop, Roberto & Ido will show you how to establish a Sigma instance to practice on, help in build rules and suggest on techniques to collect valuable information in the event of an incident.


  • Basic knowledge on how to apply Sigma rules in Incident Response
  • VM fully fledged with your IR Sigma Swiss knife
  • Quick intro into how Security Researchers are using Sigma to enhance IR capabilities like a ninjas.

Back to the USA 2020 Conference Page