{"id":31921057,"url":"https://github.com/deepzec/sigma2xsiam","last_synced_at":"2025-10-13T22:24:44.500Z","repository":{"id":314849613,"uuid":"1056967611","full_name":"deepzec/Sigma2XSIAM","owner":"deepzec","description":"This repository contains a custom pySigma backend specifically designed to convert Sigma rules into functional and accurate Cortex XSIAM XQL queries.","archived":false,"fork":false,"pushed_at":"2025-09-15T05:54:00.000Z","size":627,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-15T07:25:50.703Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/deepzec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-15T05:22:35.000Z","updated_at":"2025-09-15T05:54:03.000Z","dependencies_parsed_at":"2025-09-15T07:25:53.075Z","dependency_job_id":"f48499b7-66ab-49ee-b669-36dd3e9cfc9d","html_url":"https://github.com/deepzec/Sigma2XSIAM","commit_stats":null,"previous_names":["deepzec/sigma2xsiam"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/deepzec/Sigma2XSIAM","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepzec%2FSigma2XSIAM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepzec%2FSigma2XSIAM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepzec%2FSigma2XSIAM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepzec%2FSigma2XSIAM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/deepzec","download_url":"https://codeload.github.com/deepzec/Sigma2XSIAM/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deepzec%2FSigma2XSIAM/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279017162,"owners_count":26085983,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-13T02:00:06.723Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-10-13T22:24:43.087Z","updated_at":"2025-10-13T22:24:44.493Z","avatar_url":"https://github.com/deepzec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg src=\"logo.png\" alt=\"Sigma2XSIAM Logo\" width=\"300\"\u003e\n\n# Sigma2XSIAM\n\nThis repository contains a custom **pySigma backend** specifically designed to convert Sigma rules into functional and accurate **Cortex XSIAM XQL queries**.\n\nThe standard `pysigma-backend-cortexxdr` often falls short in handling the specific syntax and data models required by Cortex XSIAM. This project provides a robust backend and a detailed processing pipeline to bridge that gap, enabling security teams to leverage the vast library of open-source Sigma rules directly within their XSIAM environment.\n\n## Key Features\n\n* **Accurate XQL Syntax:** Correctly handles XSIAM's specific syntax for operators like `contains`, `startswith`, and `endswith`.\n* **Cortex XDM Alignment:** Includes a comprehensive processing pipeline (`cortex_xdm.yml`) that maps generic Sigma fields to the official Cortex Extended Data Model (XDM) schema.\n* **Advanced Modifier Support:** Properly converts complex Sigma modifiers, such as `contains|all`, into the correct `AND`-based logic required by XQL.\n* **PowerShell Rule Conversion:** Translates PowerShell `ScriptBlockText` into searches against the correct XSIAM field (`xdm.source.process.command_line`).\n* **Clean and Readable Output:** Automatically formats the final query to be clean, readable, and ready to be used in the XSIAM console.\n\n## Installation\n\n1. **Clone the Repository:**\n ```bash\n git clone https://github.com/deepzec/Sigma2XSIAM.git\n cd Sigma2XSIAM\n ```\n\n2. **Create and activate a virtual environment (Recommended):**\n ```bash\n python3 -m venv venv\n source venv/bin/activate\n ```\n\n3. **Install Dependencies:**\n Install the required packages using the `requirements.txt` file.\n ```bash\n pip install -r requirements.txt\n ```\n\n4. **Install the Backend:**\n Install the project in \"editable\" mode. This allows you to make changes to the code or pipeline and have them take effect immediately.\n ```bash\n pip install -e .\n ```\n\n## How to Use\n\nUse a simple Python script to load your custom pipeline, the backend, and a Sigma rule to perform the conversion.\n\n1. **Create a Sigma Rule (`rule.yml`):**\n ```yaml\n title: ADRecon Execution\n id: 16863619-3898-46d8-a159-224483584988\n status: test\n description: Detects the execution of ADRecon.ps1 script.\n logsource:\n product: windows\n category: powershell_script\n detection:\n selection:\n ScriptBlockText|contains|all:\n - 'Function Get-ADRExcelComOb'\n - 'Get-ADRGPO'\n - 'Get-ADRDomainController'\n condition: selection\n level: high\n ```\n\n2. **Create a Conversion Script (`convert_rule.py`):**\n ```python\n from sigma.rule import SigmaRule\n from sigma.processing.pipeline import ProcessingPipeline\n from sigma.backends.cortexxsiam import CortexXSIAMBackend\n\n print(\"--- Starting Sigma to XSIAM Conversion ---\")\n\n try:\n # Load the custom processing pipeline\n print(\"Loading YAML pipeline...\")\n with open(\"pipelines/cortex_xdm.yml\", \"r\") as f:\n pipeline = ProcessingPipeline.from_yaml(f.read())\n print(\"Pipeline loaded.\")\n\n # Initialize the backend with the pipeline\n siem_backend = CortexXSIAMBackend(processing_pipeline=pipeline)\n print(\"Backend initialized.\")\n\n # Load the Sigma rule\n print(\"Loading Sigma rule...\")\n with open(\"rule.yml\", \"r\") as f:\n sigma_rule = SigmaRule.from_yaml(f.read())\n\n # Convert the rule\n print(\"Converting rule...\")\n xql_query = siem_backend.convert_rule(sigma_rule)[0]\n\n print(\"\\n✅--- CONVERSION SUCCESSFUL ---✅\")\n print(\"Generated XSIAM Query:\")\n print(xql_query)\n\n except Exception as e:\n print(f\"\\n❌--- CONVERSION FAILED ---❌\")\n print(f\"An error occurred: {e}\")\n ```\n\n3. **Run the script:**\n ```bash\n # Basic usage - convert rule.yml (displays query in console)\n python convert_rule.py\n \n # Convert single rule and save to output file\n python convert_rule.py -r rule.yml -o output.xql\n \n # Batch convert all rules in a directory\n python convert_rule.py -d /path/to/sigma/rules\n \n # Batch convert and save all queries to output directory\n python convert_rule.py -d /path/to/sigma/rules -o output_queries/\n \n # View all available options\n python convert_rule.py --help\n ```\n\n### Command-Line Options\n\n- `-r RULE, --rule RULE` - Input Sigma rule file (single file mode)\n- `-d DIRECTORY, --directory DIRECTORY` - Directory containing Sigma rules for batch conversion\n- `-o OUTPUT, --output OUTPUT` - Output file path (single rule) or directory (batch mode)\n- `-h, --help` - Show help message and exit\n\n### Batch Processing\n\nWhen using `-d` to process a directory:\n- Recursively finds all `.yml` and `.yaml` files\n- Converts each rule to XQL format\n- Shows conversion summary with success/failure statistics\n- Optionally saves all queries to an output directory with `-o`\n- Preserves directory structure in output folder\n\n### Example Output\n\n**Single Rule Conversion:**\n```\n--- Starting Sigma to XSIAM Conversion ---\nLoading YAML pipeline...\nPipeline loaded.\nBackend initialized.\nLoading Sigma rule...\nConverting rule...\n\n✅--- CONVERSION SUCCESSFUL ---✅\nGenerated XSIAM Query:\ndatamodel dataset = * | filter (xdm.source.process.command_line contains \"Function Get-ADRExcelComOb\" and xdm.source.process.command_line contains \"Get-ADRGPO\" and xdm.source.process.command_line contains \"Get-ADRDomainController\")\n\n✅ Query saved to: output.xql\n```\n\n**Batch Directory Conversion:**\n```\n--- Starting Sigma to XSIAM Conversion ---\nLoading YAML pipeline...\nPipeline loaded successfully.\nInitializing backend...\nBackend initialized successfully.\n\nFound 250 rule file(s) in /sigma/rules\n\nConverting: windows/process_creation/suspicious_command.yml... ✅ SUCCESS\nConverting: windows/network/suspicious_connection.yml... ✅ SUCCESS\nConverting: linux/auditd/privilege_escalation.yml... ✅ SUCCESS\n...\n\n============================================================\nCONVERSION SUMMARY\n============================================================\nTotal rules processed: 250\n✅ Successful: 243 (97.20%)\n❌ Failed: 7 (2.80%)\n\n📁 Output directory: output_queries/\n```\n\n## Important Note\n\n**Dataset Configuration:** The default converter returns `dataset = *` in the generated XQL queries. For optimal query response performance, please modify this to your actual dataset name (e.g., `dataset = xdr_data`, `dataset = endpoint_data`, etc.) based on your specific XSIAM environment and data sources.\n\n## Testing \u0026 Conversion Rates\n\nThe Sigma2XSIAM converter has been extensively tested with real-world Sigma rules from the official SigmaHQ repository to ensure robust conversion capabilities.\n\n### Conversion Summary\n- Success Rate: 97.36% (3,064/3,147 rules converted successfully)\n- Test Dataset: 3,147 real Sigma detection rules from SigmaHQ/sigma\n- **Rule Coverage:** \n - ✅ Windows endpoint rules (process creation, PowerShell, registry, file operations)\n - ✅ Cloud platform rules (AWS CloudTrail, Azure, GCP, Okta)\n - ✅ Web application security rules (SQL injection, XSS detection)\n - ✅ Network monitoring rules (Zeek, DNS, firewall, proxy)\n\nThe converter successfully handles complex Sigma rules including multiple selection criteria, logical operators (OR/AND/NOT), field-to-field comparisons, and advanced string patterns, making it production-ready for security teams migrating their detection rules to Cortex XSIAM.\n\n## Project Structure\n\n* `sigma/backends/cortexxsiam.py`: The core Python code for the backend translator.\n* `pipelines/cortex_xdm.yml`: The YAML processing pipeline that handles all field mappings. **This is the main file to edit to add or change field translations.**\n* `pyproject.toml`: The project definition file.\n* `requirements.txt`: A list of all Python dependencies.\n\n## Bug Reports \u0026 Issues\n\nIf you encounter any issues, conversion errors, or have suggestions for improvements, please report them by:\n\n1. **Creating an Issue**: Open a new issue in this repository with detailed information about the problem\n2. **Include Details**: Please provide:\n - The Sigma rule that failed to convert (if applicable)\n - Error messages or unexpected output\n - Your environment details (Python version, pySigma version)\n - Expected vs. actual behavior\n\nYour feedback helps improve the converter for the entire security community!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeepzec%2Fsigma2xsiam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeepzec%2Fsigma2xsiam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeepzec%2Fsigma2xsiam/lists"}