Skip to content

Usage Examples

Jump to bottom
Metin Münüklü edited this page Jul 20, 2024 · 5 revisions

In this section, you will find detailed instructions on how to use Alterix effectively. We provide examples for different scenarios to demonstrate the capabilities of the tool.

Converting Sigma, YARA Rules, and IOC Data

To convert Sigma, YARA rules, and IOC data to the query language of Crypttech's SIEM product, follow these steps:

  1. Ensure you have Sigma rules in YAML format, which can be found in the Sigma GitHub repository. Additionally, prepare YARA rules, typically stored in plain text files. For IOC data, gather your indicators in the required format (e.g., IP addresses, domains, URLs, hashes).

  2. Obtain the configuration file (crypttech_config.yml) for Crypttech's SIEM product from your system administrator. This configuration file is used for mapping column names and other necessary settings.

  3. Open a terminal or command prompt and navigate to the directory where Alterix is installed.

  4. Run the following commands to convert Sigma rules, YARA rules, or IOC data, replacing <path-to-sigma-rules>, <path-to-yara-rules>, or <path-to-ioc-data> with the location of your respective files or directories:

    • For Sigma rules: 
      ./alterix -sigma -filepath <path-to-sigma-rules> -config <path-to-config>
    • For YARA rules: 
      ./alterix -yara -filepath <path-to-yara-rules> -config <path-to-config>
    • For IOC data: 
      ./alterix -ioc -filepath <path-to-ioc-data> -config <path-to-config>

    Alterix will process the Sigma rules, YARA rules, and IOC data and generate the corresponding queries based on the column mappings specified in the crypttech_config.yml file.

Advanced Options

Alterix provides additional options to customize the conversion process. Here are a few examples:

  • JSON Output: To obtain the output in JSON format, add the -json flag to the command:

    • For Sigma rules: 
      ./alterix -sigma -filepath <path-to-sigma-rules> -config <path-to-config> -json
    • For YARA rules: 
      ./alterix -yara -filepath <path-to-yara-rules> -config <path-to-config> -json
    • For IOC data: 
      ./alterix -ioc -filepath <path-to-ioc-data> -config <path-to-config> -json

  • Custom Output Directory: To specify a custom directory for the output files, use the -output flag followed by the desired directory path:

    • For Sigma rules: 
      ./alterix -sigma -filepath <path-to-sigma-rules> -config <path-to-config> -output <output-directory>
    • For YARA rules: 
      ./alterix -yara -filepath <path-to-yara-rules> -config <path-to-config> -output <output-directory>
    • For IOC data: 
      ./alterix -ioc -filepath <path-to-ioc-data> -config <path-to-config> -output <output-directory>

Feel free to experiment with different options and explore the full potential of Alterix in adapting Sigma rules, YARA rules, and IOC data to Crypttech's SIEM product.

Examples

Here are a few examples to demonstrate the usage of Alterix:

  1. Converting Single Sigma Rule:

    ./alterix -sigma -filepath sigma_rules/rules/windows_process_creation.yml -config crypttech_config.yml

    This command converts the windows_process_creation.yml Sigma rule to the query language based on the column mappings specified in crypttech_config.yml

  2. Bulk Conversion of Sigma Rules with JSON Output:

    ./alterix -sigma -filepath sigma_rules/rules -config crypttech_config.yml -json -output converted_rules/

    This command converts all Sigma rules in the sigma_rules/alerts directory to the query language based on the column mappings specified in crypttech_config.yml and saves the output in JSON format in the converted_rules/ directory.

  3. Converting YARA Rules:

    ./alterix -yara -filepath yara_rules/rules -config crypttech_config.yml

    This command converts all YARA rules in the yara_rules/rules directory to the query language based on the column mappings specified in crypttech_config.yml.

  4. Converting IOC Data:

    ./alterix -ioc -filepath ioc_data/indicators.txt -config crypttech_config.yml

    This command converts IOC data from the ioc_data/indicators.txt file to the query language based on the column mappings specified in crypttech_config.yml.

Docker Usage

After setting up the Docker image and container using the provided setup script, you can execute the Alterix command within the Docker container using docker exec. Here's the command:

docker exec alterix ./alterix -sigma -filepath /sigma_rules -config /config/crypttech_config.yml -json -output /output

Replace /sigma_rules with the path to your Sigma rules, /config with the path to your crypttech_config.yml file, and /output with the path where you want to save the output files. For YARA rules or IOC data, replace -sigma with -yara or -ioc as appropriate.

Thanks for visiting! If you found this project helpful, consider giving it a ⭐️ on GitHub.

Need help? Feel free to open an issue on GitHub.

Clone this wiki locally