[English] | [日本語]
Sigma rules have already been pre-converted to hayabusa format and placed in the ./rules/sigma directory.
Please refer to this documentation to convert rules on your own for local testing, using the latest rules, etc...
To run this script, Poetry is required. Please refer to the official documentation for Poetry installation at the following link: https://python-poetry.org/docs/#installation
https://github.com/SigmaHQ/sigma
logsource_mapping.py is a tool to convert the logsource field of Sigma rules to Hayabusa format.
Since Hayabusa at the moment does not support logsource for filtering on Channel and EventID fields and rewriting field names when necessary, we use the following yaml mapping files to convert the contents of logsource to the detection and condition fields.
- sysmon.yaml
- windows-antivirus.yaml
- windows-audit.yaml
- windows-services.yaml
The following Sigma rules are converted to the following two Hayabusa formats after running logsource_mapping.py.
Sigma rule:
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '.exe'
detection: selectionHayabusa rule (for Sysmon rules):
logsource:
category: process_creation
product: windows
detection:
process_creation:
Channel: Microsoft-Windows-Sysmon/Operational
EventID: 1
selection:
- Image|endswith: '.exe'
detection: process_creation and selectionHayabusa rule (for Windows built-in rules)
logsource:
category: process_creation
product: windows
detection:
process_creation:
Channel: Security
EventID: 4688
selection:
- NewProcessName|endswith: '.exe'
detection: process_creation and selectiongit clone https://github.com/SigmaHQ/sigma.gitgit clone https://github.com/Yamato-Security/hayabusa-rules.gitcd hayabusa-rules/tools/sigmacpoetry install --no-rootpoetry run python logsource_mapping.py -r ../../../sigma -o ./converted_sigma_rules
After executing the commands above, the rules converted to Hayabusa format will be output to the ./converted_sigma_rules directory.