# Sigma

The `sigma` project defines a generic, `YAML`-based pattern matching syntax (similar to `yara`) that allows hunters to define their logic in a database-agnostic way.

## Basic Usage

`sigma` also provides a toolchain to convert these rules into search queries that are consumable by a number of different backend databases and data models. The tool `sigmac` handles the conversion from the `sigma` rule syntax into a query that your database can understand. The `--help` text can be a little intimidating...

In [None]:
!python ../tools/sigmac --help

But really there are only a few core concepts that we need to introduce. To start, we can use the `--list` flag to identify the `target` and `config` options that we need to pass on the commandline:

In [None]:
!python ../tools/sigmac --list

The `target` (or `backend`) for the `sigma` conversion defines the syntax that the resulting query will have. The `config` defines the data model that converts field names from one schema to another. Since we are interested in converting `sigma` rules into Carbon Black queries, we will add `--target carbonblack` and `--config carbon-black` to our commandline:

In [None]:
!python ../tools/sigmac --target carbonblack --config carbon-black ../rules/windows/process_creation/win_local_system_owner_account_discovery.yml

If we indexed Windows Security/4688 events using `WinLogBeat` and wanted to find the same activity in `elasticsearch`, we could pass a different `target` syntax to convert the same rule to different query syntaxes. For example, here is the `lucene` query string version of the same `sigma` rule:

In [None]:
!python ../tools/sigmac --target es-qs --config winlogbeat ../rules/windows/process_creation/win_local_system_owner_account_discovery.yml

Or SQL!

In [None]:
!python ../tools/sigmac --target sql --config windows-audit ../rules/windows/process_creation/win_local_system_owner_account_discovery.yml

Or ingesting `sysmon` data in Azure Sentinel:

In [None]:
!python ../tools/sigmac --target ala --config sysmon ../rules/windows/process_creation/win_local_system_owner_account_discovery.yml

In [None]:
!python ../tools/sigma2attack --rules-directory ../rules/windows/process_creation