Yusuke Nakajima

Joined NTT DATA Group in 2019, selling solutions in image processing and natural language processing as a sales representative. Transferred to the company’s CSIRT team “NTTDATA-CERT” in April 2023, engaging in incident response, IoC collection and distribution, Threat hunting, and streamlining CSIRT operations using LLMs. Also deeply interested in offensive security activities such as C2 framework development, OSS vulnerability research (6 CVEs identified), and participation in bug bounty programs. CISSP, OSTH, JSAC 2025 Speacker.

SigmaOptimizer: LLM-Enhanced Detection Rule Workflow

Sigma rules are the cornerstone of threat detection, but creating effective rules requires a deep understanding of attack methods and a great deal of time and effort. Recently, much attention has been paid to methods for automatically generating Sigma rules from threat reports using Large Language Models (LLMs), but the following issues have also been highlighted

Accuracy and reliability issues: Rules that are not based on actual logs run the risk of false positives and omissions due to LLM hallucinations.

Delay in detection: Threat reports are published with some delay after an attack occurs, so responses based on them inevitably have a time lag, increasing the risk of incidents.

In this session, we will introduce SigmaOptimizer", which we have developed to overcome these issues. SigmaOptimizer is an innovative tool that automatically generates Sigma rules, performs syntax checking, verifies detection effectiveness, and evaluates false positives by combining actual logs and LLM. It also has a rule enhancement feature that supports command obfuscation and improves resistance to evasion techniques.

In addition, by interfacing with MITRE Caldera, it is possible to automatically execute various attack techniques and automatically generate and evaluate Sigma rules from the resulting logs. This significantly reduces the time required to generate rules and increases the realistic threat coverage.