Awesome

Sigma Legacy Tools

This repository contains the Sigma legacy toolchain mostly known for the first iteration of the Sigma conversion tool, sigmac. Please don't use this anymore in new projects or provide new backends to this project, because it is not actively maintained anymore and was replaced with pySigma (library) and Sigma CLI (command line tool including conversion based on pySigma).

Sigma itself is the generic signature format for SIEM systems, check the main rule repository for further information.

Sigmac

Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the Sigma library that may be used to integrate Sigma support in other projects. Further, there's merge_sigma.py which merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.

WARNING: Do not provide conversion backends for this tool anymore. We'll soon set a date for its deprecation. Since October 2020, we're working on a much more flexible and stable module named pySigma and a command line interface named sigma-cli that makes use of pySigma.

Usage

usage: sigmac [-h] [--recurse] [--filter FILTER]
              [--target {sqlite,netwitness-epl,logpoint,graylog,netwitness,arcsight,carbonblack,es-rule,ala,elastalert-dsl,splunkxml,fieldlist,sysmon,arcsight-esm,kibana,csharp,qualys,powershell,es-qs,mdatp,humio,grep,qradar,logiq,sql,sumologic,ala-rule,limacharlie,elastalert,splunk,stix,xpack-watcher,crowdstrike,es-dsl,ee-outliers}]
              [--target-list] [--config CONFIG] [--output OUTPUT]
              [--backend-option BACKEND_OPTION] [--defer-abort]
              [--ignore-backend-errors] [--verbose] [--debug]
              [inputs [inputs ...]]

Convert Sigma rules into SIEM signatures.

positional arguments:
  inputs                Sigma input files ('-' for stdin)

optional arguments:
  -h, --help            show this help message and exit
  --recurse, -r         Use directory as input (recurse into subdirectories is
                        not implemented yet)
  --filter FILTER, -f FILTER
                        Define comma-separated filters that must match (AND-
                        linked) to rule to be processed. Valid filters:
                        level<=x, level>=x, level=x, status=y, logsource=z,
                        tag=t. x is one of: low, medium, high, critical. y is
                        one of: experimental, testing, stable. z is a word
                        appearing in an arbitrary log source attribute. t is a
                        tag that must appear in the rules tag list, case-
                        insensitive matching. Multiple log source
                        specifications are AND linked.
  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}
                        Output target format
  --target-list, -l     List available output target formats
  --config CONFIG, -c CONFIG
                        Configurations with field name and index mapping for
                        target environment. Multiple configurations are merged
                        into one. Last config is authoritative in case of
                        conflicts.
  --output OUTPUT, -o OUTPUT
                        Output file or filename prefix if multiple files are
                        generated
  --backend-option BACKEND_OPTION, -O BACKEND_OPTION
                        Options and switches that are passed to the backend
  --defer-abort, -d     Don't abort on parse or conversion errors, proceed
                        with next rule. The exit code from the last error is
                        returned
  --ignore-backend-errors, -I
                        Only return error codes for parse errors and ignore
                        errors for rules that cause backend errors. Useful,
                        when you want to get as much queries as possible.
  --verbose, -v         Be verbose
  --debug, -D           Debugging output

Examples

Single Rule Translation

Translate a single rule

tools/sigmac -t splunk -c splunk-windows rules/windows/sysmon/sysmon_susp_image_load.yml

Rule Set Translation

Translate a whole rule directory and ignore backend errors (-I) in rule conversion for the selected backend (-t splunk)

tools/sigmac -I -t splunk -c splunk-windows -r rules/windows/sysmon/

Translate Only Rules of Level High or Critical

Translate a whole rule directory and ignore backend errors (-I) in rule conversion for the selected backend (-t splunk) and select only rules of level high and critical

tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/

Rule Set Translation with Custom Config

Apply your own config file (-c ~/my-elk-winlogbeat.yml) during conversion, which can contain you custom field and source mappings

tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon

Generic Rule Set Translation

Use a config file for process_creation rules (-r rules/windows/process_creation) that instructs sigmac to create queries for a Sysmon log source (-c tools/config/generic/sysmon.yml) and the ElasticSearch target backend (-t es-qs)

tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation

Generic Rule Set Translation with Custom Config

Use a config file for a single process_creation rule (./rules/windows/process_creation/win_susp_outlook.yml) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (-c tools/config/generic/windows-audit.yml) and a Splunk target backend (-t splunk)

tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/windows-audit.yml ./rules/windows/process_creation/win_susp_outlook.yml

(See @blubbfiction's blog post for more information)

Supported Targets

• Splunk (plainqueries and dashboards)
• ElasticSearch Query Strings
• ElasticSearch Query DSL
• Kibana
• Elastic X-Pack Watcher
• Logpoint
• Microsoft Defender Advanced Threat Protection (MDATP)
• Azure Sentinel / Azure Log Analytics
• Sumologic
• ArcSight
• QRadar
• Qualys
• RSA NetWitness
• PowerShell
• Grep with Perl-compatible regular expression support
• LimaCharlie
• ee-outliers
• Structured Threat Information Expression (STIX)
• LOGIQ
• uberAgent ESA
• Devo
• LogRhythm
• Datadog Logs
• FortiSIEM
• HAWK.io MDR

New targets are continuously developed. You can get a list of supported targets with sigmac --lists or sigmac -l.

Requirements

The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.

Installation

It's available on PyPI. Install with:

pip3 install sigmatools

Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with Pipenv. Run the following command to get a shell with the installed requirements:

pipenv shell

For development (e.g. execution of integration tests with make and packaging), further dependencies are required and can be installed with:

pipenv install --dev
pipenv shell

Sigma2MISP

Import Sigma rules to MISP events. Depends on PyMISP.

Parameters that aren't changed frequently (--url, --key) can be put without the prefixing dashes -- into a file and included with @filename as parameter on the command line.

Example: misp.conf:

url https://host
key foobarfoobarfoobarfoobarfoobarfoobarfoo

Load Sigma rule into MISP event 1234:

sigma2misp @misp.conf --event 1234 sigma_rule.py

Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to Test Event:

sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/

Evt2Sigma

Evt2Sigma helps you with the rule creation. It generates a Sigma rule from a log entry.

Sigma2attack

Generates a MITRE ATT&CK® Navigator heatmap from a directory containing sigma rules.

Requirements:

• Sigma rules tagged with a attack.tXXXX tag (e.g.: attack.t1086)

Usage samples:

# Use the default "rules" folder
./tools/sigma2attack

# ... or specify your own
./tools/sigma2attack --rules-directory ~/hunting/rules

Result once imported in the MITRE ATT&CK® Navigator (online version):

S2AN

Similar to Sigma2attack, S2AN is a pre-compiled binary for both Windows and GNU/Linux that generates MITRE ATT&CK® Navigator layers from a directory of Sigma rules.

S2AN was developed to be used as a standalone tool or as part of a CI/CD pipeline where it can be quickly downloaded and executed without external dependencies.

Contributed Scripts

The directory contrib contains scripts that were contributed by the community:

• sigma2elastalert.py is by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool uses sigmac and expects it in its path.

These tools are not part of the main toolchain and maintained separately by their authors.

License

The toolchain is licensed under theGNU Lesser General Public License