Translating for your SIEM.

Last weeks post covered writing detections.

You probably have numerous security tools in your stack, each with different rule formats and languages.

This week I’ll show you how to convert Sigma Rules into formats your other security tools will be able to utilise.

To do this, lets take a simple rule created by Austin Songer.

This rule detects activity from a terminated user.

Here’s the detection:

detection:
  condition: selection
  selection:
    eventName: Activity performed by terminated user
    eventSource: SecurityComplianceCenter
    status: success
falsepositives:
- Unknown

If you think back to last weeks post), this detection means match on:

eventName=Activity performed by terminated user AND eventSource=SecurityComplianceCenter AND status=success

Splunk users will recognise this translation is already a valid Splunk rule, but we can get SIEM Rules to do it automatically, and for a range of other formats…

Remember the Sigma Rule also contains logsource content, defining what logs a Rule should be used on. For this rule it is defined as:

logsource:
  category: ThreatManagement
  product: m365

You can use this information to make sure the right index/source/sourcetype/etc is searched for efficiency and speed (e.g. for Splunk this could be index=m365 source=threats), saving searching over all your data.

So far this has been a manual process. Lets automate it. That’s where the SIEM Rules API comes in.

It’s possible to pull these rules directly into your downstream tools using our API.

Using the GET Rule endpoint you can pass the version of the Rule and the output_target (the Rule format you want).

Passing Splunk as an output_target will provide a response like this:

If you want to see more about what’s possible, you can view the full SIEM Rules API documentation here.

Now you should have enough to not only create and share some advanced Sigma Rules, but deploy them to start identifying incidents.

Good luck!

---

« Sigma Rules 101: Writing the Detection (Part 3) What the Industry is Saying About the Apache Log4Shell Zero-Day? »

---

Similar Posts You Will Enjoy Reading...

How to write detection and hunting queries using Kusto in Microsoft Sentinel (Part 2)

How to write detection rules using Kusto in Microsoft Sentinel (Part 1)

How to write detection rules in YARA-L for Google Chronicle

Sigma Rules 101: Writing the Detection (Part 3)

---

Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.

---

Obstracts

Turn any blog into structured threat intelligence.

CONVERT A BLOG

Stixify

Extract machine readable intelligence from unstructured data.

UPLOAD A FILE

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SELECT YOUR SOFTWARE

SIEM Rules

View, modify, and deploy SIEM rules for threat hunting.

CLONE A RULE