Skip to content

marirs/sigma-convert

Repository files navigation

SIGMA CONVERT

This project draws inspiration from SigmaHQ for the opensource Sigma Rules. Sigma Convert can convert Sigma Rules to the following destination types. It can convert a single sigma rule file or a folder of sigma rule files. There is also an API Server available, so you can run an API Server to do conversions using Microservices.

Test it

Convertor: https://www.sigmac.to
API Docs: https://www.sigmac.to/docs

Supported Conversions.

The currently supported backends are:

  • ElastAlert
  • HumioAlert
  • Kibana
  • Qradar
  • Splunk
  • ArcSight
  • Chronicle
  • Devo
  • LogRhythm
  • KafkaSQL
  • AWS OpenSearch
  • DNIF
  • GrayLog
  • SQL
  • SQLite
  • Secronix
  • Sentinel
  • Snowflake
  • Sumo Logic

Help

$ ./sigmac --help
This is the Sigma command line interface to convert Sigma rules into query languages.

Usage: sigmac [OPTIONS] --dest-type <DEST_TYPE>

Options:
  -s, --source-type <SOURCE_TYPE>
          The source target to convert from [default: sigma]
  -t, --dest-type <DEST_TYPE>
          The target type to convert to, could be arcsight, quradar, elastalert
  -f, --file-source <FILE_SOURCE>
          The source file to convert
  -d, --dir-source <DIR_SOURCE>
          The source dir to recursively convert
  -m, --mappings-file <MAPPINGS_FILE>
          The mappings.txt file for the current backend
      --keep-fields <KEEP_FIELDS>
          Keep the following list of fields in the sigma rule(comma separated). Eg "title, author, tags". `Note: This only applies to the ElastAlert dest_type`
      --replace-fields <REPLACE_FIELDS>
          Replace the following list of K:V fields in the elastalert rule (comma separated). Eg "index: tid1452-*". `Note: This only applies to the ElastAlert dest_type`
      --add-alerting <ADD_ALERTING>
          Add an alerting mode to the list in the elastalert rule. `Note: This only applies to the ElastAlert dest_type`
      --add-fields <ADD_FIELDS>
          Add extra fields in the elastalert rule if required. `Note: This only applies to the ElastAlert dest_type`
  -h, --help
          Print help
  -V, --version
          Print version

Example Usage

  • Convert a simple Sigma Rule to ElastAlert
$ ./sigmac --source-type sigma --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml 
Converting the sigma rule in ../sigmarules/T1089- Defense evasion  - Disabling Security Tools.yml...
SUCCESS: Converted the sigma rule in ../sigmarules/T1089- Defense evasion  - Disabling Security Tools.yml to elastalert.

Output File: "~/Documents/output/elastalert_T1089- Defense evasion  - Disabling Security Tools.yml"
  • Convert a simple Sigma Rule to ElastAlert and keep certain fields in the ElastAlert output
$ ./sigmac --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml --keep-fields name,tags,impact
  • Convert a simple Sigma Rule to ElastAlert and change/replace field values
$ ./sigmac --source-type sigma --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml --replace-fields "index: newindex*"
  • Convert a simple Sigma Rule to ElastAlert and add new fields
$ ./sigmac --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml --add-fields "xyz=new_field1, abc=new_field2"
  • Convert a simple Sigma Rule to ElastAlert and add new alerting other than debug
$ ./sigmac --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml --add-alerting "Some.New.Alerting"
  • Convert a simple Sigma Rule to a destination along with Field Mapping file. Use-case Scenario: Typically, Sigma Rule YML Files are defaulted with assumed keys. Here you can pass a field mapping file so that you can replace the default keys to match the keys for your environment.
$ ./sigmac  --source-type <SOURCE_TYPE> --dest-type <DEST-TYPE> --file-source <FILE> --mappings_file <MAPPINGS-FILE>
  • Convert a batch of Sigma files from a folder to ElastAlert
$ ./sigmac --source-type sigma --dest-type elastalert --dir-source ../sigmarules 

Authors

Sriram marirs@gmail.com

License

  • MIT