Sigma in Timesketch - let's rule the sketch

  0. Background This article will walk you through the process of getting from a bare Timesketch installation to an environment where you can develop and use Sigma rules for Timesketch. This is the follow up of the article that covered the installation of a Timesketch development environment.  The target audience for this blogpost are engineers who are familiar with basic concepts of Timesketch and have a running Timesketch instance with running Celery workers. Some basic understanding of Sigma is helpful but not mandatory. Hypothesis This article will explain how Sigma rules look like, what the structure of a sigma config looks like and how to write a new Sigma rule and modify the sigma config to get the expected result. For this example, we will write a Sigma rule to catch recon activity by detecting an installation of zenmap. This is outlined in MITRE ATT&CK® as Discovery: Discovery - An Information Security Reference That Doesn't Suck.   What is Sigma Sigma, the " Ya