Translating for your SIEM.
Last weeks post covered writing detections.
You probably have numerous security tools in your stack, each with different rule formats and languages.
This week I’ll show you how to convert Sigma Rules into formats your other security tools will be able to utilise.
To do this, lets take a simple rule created by Austin Songer.
This rule detects activity from a terminated user.
detection: condition: selection selection: eventName: Activity performed by terminated user eventSource: SecurityComplianceCenter status: success falsepositives: - Unknown
If you think back to last weeks post), this
detection means match on:
eventName=Activity performed by terminated user AND eventSource=SecurityComplianceCenter AND status=success
Splunk users will recognise this translation is already a valid Splunk rule, but we can get SIEM Rules to do it automatically, and for a range of other formats…
Remember the Sigma Rule also contains
logsource content, defining what logs a Rule should be used on. For this rule it is defined as:
logsource: category: ThreatManagement product: m365
You can use this information to make sure the right index/source/sourcetype/etc is searched for efficiency and speed (e.g. for Splunk this could be
index=m365 source=threats), saving searching over all your data.
So far this has been a manual process. Lets automate it. That’s where the SIEM Rules API comes in.
It’s possible to pull these rules directly into your downstream tools using our API.
GET Rule endpoint you can pass the
version of the Rule and the
output_target (the Rule format you want).
Passing Splunk as an
output_target will provide a response like this:
If you want to see more about what’s possible, you can view the full SIEM Rules API documentation here.
Now you should have enough to not only create and share some advanced Sigma Rules, but deploy them to start identifying incidents.
Join the Signals Corps on Discord
Join our public community of intelligence analysts and researchers sharing new content hourly.
Turn any blog into structured threat intelligence.
Extract machine readable intelligence from unstructured data.
Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.
View, modify, and deploy SIEM rules for threat hunting.