Next-Gen Detection: Harnessing LLMs for Sigma Rule Automation
Dave Johnson
BSidesSF 2024 · Day 1
This talk, presented by **Dave Johnson**, a Threat Intelligence Advisor at **Feedly**, delves into the innovative application of **Large Language Models (LLMs)** to automate the creation of **Sigma rules** for cybersecurity detection. Johnson's research, born from an initial experiment with **ChatGPT**, addresses the critical need for more efficient and higher-quality detection rule generation in an evolving threat landscape. The core objective is to empower defenders to stay ahead of adversaries who are increasingly leveraging AI for malicious purposes, including malware generation and attack orchestration.
AI review
This talk provides a practical, hands-on exploration of leveraging Large Language Models for automating Sigma rule generation. The speaker details three distinct strategies—Retrieval Augmented Generation (RAG), prompt chaining, and fine-tuning—highlighting the critical importance of input data quality and robust validation. The comparative analysis of these methods, including the speaker's candid admission of fine-tuning's 'expensive failure,' offers valuable insights for detection engineers looking to enhance their proactive threat hunting capabilities.