Translating for your SIEM.

Last weeks post covered writing detections.

You probably have numerous security tools in your stack, each with different rule formats and languages.

This week I’ll show you how to convert Sigma Rules into formats your other security tools will be able to utilise.

To do this, lets take a simple rule created by Austin Songer.

SIEM Rules Sigma Activity Performed by Terminated User

This rule detects activity from a terminated user.

Here’s the detection:

detection:
  condition: selection
  selection:
    eventName: Activity performed by terminated user
    eventSource: SecurityComplianceCenter
    status: success
falsepositives:
- Unknown

If you think back to last weeks post), this detection means match on:

eventName=Activity performed by terminated user AND eventSource=SecurityComplianceCenter AND status=success

Splunk users will recognise this translation is already a valid Splunk rule, but we can get SIEM Rules to do it automatically, and for a range of other formats…

Remember the Sigma Rule also contains logsource content, defining what logs a Rule should be used on. For this rule it is defined as:

logsource:
  category: ThreatManagement
  product: m365

You can use this information to make sure the right index/source/sourcetype/etc is searched for efficiency and speed (e.g. for Splunk this could be index=m365 source=threats), saving searching over all your data.

So far this has been a manual process. Lets automate it. That’s where the SIEM Rules API comes in.

It’s possible to pull these rules directly into your downstream tools using our API.

Using the GET Rule endpoint you can pass the version of the Rule and the output_target (the Rule format you want).

SIEM Rules API Rule Endpoint request

Passing Splunk as an output_target will provide a response like this:

SIEM Rules API Rule Endpoint response

If you want to see more about what’s possible, you can view the full SIEM Rules API documentation here.

Now you should have enough to not only create and share some advanced Sigma Rules, but deploy them to start identifying incidents.

Good luck!




Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.


Obstracts

Obstracts

Turn any blog into structured threat intelligence.

Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.