{"id":19883649,"url":"https://github.com/muchdogesec/sigma2stix","last_synced_at":"2025-05-02T14:33:49.349Z","repository":{"id":242484079,"uuid":"809647616","full_name":"muchdogesec/sigma2stix","owner":"muchdogesec","description":"A command line tool that converts Sigma Rules into STIX 2.1 Objects.","archived":false,"fork":false,"pushed_at":"2025-01-13T06:21:21.000Z","size":209,"stargazers_count":9,"open_issues_count":1,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-07T02:51:13.168Z","etag":null,"topics":["sigma-rules","stix2"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/muchdogesec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-03T07:19:50.000Z","updated_at":"2025-01-13T06:21:22.000Z","dependencies_parsed_at":"2024-06-03T10:16:59.265Z","dependency_job_id":"470b33d6-b518-46d7-a74f-e58eb71bf60f","html_url":"https://github.com/muchdogesec/sigma2stix","commit_stats":null,"previous_names":["muchdogesec/sigma2stix"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fsigma2stix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fsigma2stix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fsigma2stix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/muchdogesec%2Fsigma2stix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/muchdogesec","download_url":"https://codeload.github.com/muchdogesec/sigma2stix/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252053936,"owners_count":21687196,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sigma-rules","stix2"],"created_at":"2024-11-12T17:21:48.633Z","updated_at":"2025-05-02T14:33:49.343Z","avatar_url":"https://github.com/muchdogesec.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sigma2stix\n\n## Overview\n\n![](docs/sigma2stix.png)\n\nA command line tool that converts Sigma Rules into STIX 2.1 Objects\n\n## tl;dr\n\n[![sigma2stix](https://img.youtube.com/vi/xDA1zVR8LQA/0.jpg)](https://www.youtube.com/watch?v=xDA1zVR8LQA)\n\n[Watch the demo](https://www.youtube.com/watch?v=xDA1zVR8LQA).\n\n## Overview\n\n\u003e Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.\n\n[SigmaHQ/sigma](https://github.com/SigmaHQ/sigma)\n\nSigma Rules are written in a YAML format, and distributed as YAML files.\n\nThe public rules (approved by the Sigma team) are stored in the main Sigma repository, nested in the `rules*` directories, e.g.\n\n`rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml`\n\nhttps://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml\n\nHere at DOGESEC, most of the data we deal with is in STIX 2.1 format. This is because downstream threat intelligence tools understand STIX.\n\nTherefore sigma2stix works by converting Sigma Rules to STIX 2.1 objects.\n\nsigma2stix provides two modes:\n\n1. downloads the latest rules from the [SigmaHQ/sigma repository](https://github.com/SigmaHQ/sigma) and converts each rule into a range of STIX objects\n2. accepts a Sigma rule in a YAML file and converts to a STIX indicator object\n\n## Installing the script\n\nTo install sigma2stix;\n\n```shell\n# clone the latest code\ngit clone https://github.com/muchdogesec/sigma2stix\n# create a venv\ncd sigma2stix\npython3 -m venv sigma2stix-venv\nsource sigma2stix-venv/bin/activate\n# install requirements\npip3 install -r requirements.txt\n```\n\n### Configuration options\n\nsigma2stix has various settings that are defined in an `.env` file.\n\nTo create a template for the file:\n\n```shell\ncp .env.example .env\n```\n\nTo see more information about how to set the variables, and what they do, read the `.env.markdown` file.\n\n\n## Running the script\n\n### Mode 1: SigmaHQ/sigma repository -\u003e STIX\n\n```shell\npython3 sigma2stix.py \\\n\t--mode sigmahq \\\n\t--sigma_version_tag XXXX\n```\n\nWhere;\n\n* `mode` (required): should always be `sigmahq` if you want to download the latest rules from the [SigmaHQ/sigma repository](https://github.com/SigmaHQ/sigma)\n* `sigma_version_tag` (optional): is the name of the tag in the SigmaHQ/sigma repository ([tags listed here](https://github.com/SigmaHQ/sigma/releases)), e.g. `r2024-12-19`. If no value passed, the master branch will be cloned.\n\nNote this script only supports Sigma Rule version tags in the format `rYYYY-MM-DD`.\n\nOn each run all objects will be regenerated in the `stix2_objects` directory\n\n#### Example 1.1: Download latest (master)\n\n```shell\npython3 sigma2stix.py \\\n\t--mode sigmahq\n```\n\n#### Example 1.2: Download specific version\n\n```shell\npython3 sigma2stix.py \\\n\t--mode sigmahq \\\n\t--sigma_version_tag r2024-12-19\n```\n\n### Mode 2: SigmaHQ YAML file -\u003e STIX\n\n```shell\npython3 sigma2stix.py \\\n\t--mode sigmayaml \\\n\t--file PATH/TO/FILE.yaml\n```\n\nWhere;\n\n* `mode` (required): should always be `sigmayaml` if you want to convert a local YAML file\n* `file` (required): is the path to the YAML file containing only the Sigma Rule\n\nOn each run all objects will be regenerated in the `stix2_objects` directory\n\n#### Example 2.1: Convert a local rule\n\n```shell\npython3 sigma2stix.py \\\n\t--mode sigmayaml \\\n\t--file tests/demo_rule.yml\n```\n\n## Mapping information\n\nHere is how sigma2stix maps data to STIX objects from each Sigma Rules YAML.\n\nNote, the Sigma specification defines the attributes that can be found in the YAML files, and some of the taxonomies used for the properties to populate them. [View the specification here](https://sigmahq.io/sigma-specification/).\n\nAt a high-level the STIX objects created are linked as shown here;\n\nhttps://miro.com/app/board/uXjVKpPwTfA=/\n\n### Marking Definition / Identity\n\nThese are hardcoded and imported from our [stix4doge repository](https://github.com/muchdogesec/stix4doge). Specifically these objects;\n\n* Marking Definition: https://raw.githubusercontent.com/muchdogesec/stix4doge/main/objects/marking-definition/sigma2stix.json\n* Identity: https://raw.githubusercontent.com/muchdogesec/stix4doge/main/objects/identity/sigma2stix.json\n\n### Indicators\n\nThe core object created to represent a rule.\n\n```json\n{\n \"type\": \"indicator\",\n \"spec_version\": \"2.1\",\n \"id\": \"indicator--\u003cUUID V5\u003e\",\n \"created_by_ref\": \"\u003cIMPORTED IDENTITY\u003e\",\n \"created\": \"\u003cSIGMA RULE DATE FIELD, IF NONE SCRIPT RUN TIME\u003e\",\n \"modified\": \"\u003cSIGMA RULE MODIFIED FIELD, IF NONE SCRIPT CREATED\u003e\",\n \"indicator_types\": [\n \"malicious-activity\",\n \"anomalous-activity\"\n ],\n \"name\": \"\u003cSIGMA RULE TITLE\u003e\",\n \"description\": \"\u003cSIGMA RULE DESCRIPTION\u003e. The following false positives can result from this detection; \u003cSIGMA RULE FALSE POSITIVES [N]\u003e\",\n \"pattern\": \"\u003cENTIRE SIGMA RULE YAML\u003e\",\n \"pattern_type\": \"sigma\",\n \"valid_from\": \"\u003cCREATED TIME\u003e\",\n \"external_references\": [\n {\n \"source_name\": \"sigma-rule\",\n \"url\": \"\u003cGITHUB LINK TO RULE\u003e / \u003cPATH TO FILE\u003e\"\n },\n {\n \"source_name\": \"sigma-rule\",\n \"external_id\": \"id\",\n \"description\": \"\u003cSIGMA RULE ID\u003e\"\n },\n {\n \"source_name\": \"sigma-rule\",\n \"external_id\": \"reference\",\n \"description\": \"\u003cSIGMA RULE REFERENCE [N]\u003e\"\n },\n {\n \"source_name\": \"sigma-rule\",\n \"external_id\": \"level\",\n \"description\": \"\u003cSIGMA RULE LEVEL\u003e\"\n },\n {\n \"source_name\": \"sigma-rule\",\n \"external_id\": \"status\",\n \"description\": \"\u003cSIGMA RULE STATUS\u003e\"\n },\n {\n \"source_name\": \"sigma-rule\",\n \"external_id\": \"author\",\n \"description\": \"\u003cSIGMA RULE AUTHOR [N]\u003e\"\n },\n {\n \"source_name\": \"mitre-attack\",\n \"external_id\": \"tactic\",\n \"description\": \"\u003cSIGMA RULE TAG ATT\u0026CK TACTIC [N]\u003e\"\n },\n {\n \"source_name\": \"mitre-attack\",\n \"external_id\": \"technique\",\n \"description\": \"\u003cSIGMA RULE TAG ATT\u0026CK TECHNIQUE [N]\u003e\"\n },\n {\n \"source_name\": \"mitre-attack\",\n \"external_id\": \"technique\",\n \"description\": \"\u003cSIGMA RULE TAG ATT\u0026CK TECHNIQUE [N]\u003e\"\n },\n {\n \"source_name\": \"sigma-rule\",\n \"external_id\": \"detection\",\n \"description\": \"\u003cSIGMA RULE DETECTION TAG [N]\u003e\"\n },\n {\n \"source_name\": \"cve\",\n \"external_id\": \"\u003cSIGMA RULE CVE TAG [N]\u003e\",\n \"description\": \"https://nvd.nist.gov/vuln/detail/\u003cSIGMA RULE CVE TAG [N]\u003e\",\n }\n ],\n \"object_marking_refs\": [\n \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\",\n \"\u003cIMPORTED MARKING DEFINITION\u003e\"\n ] \n}\n```\n\nThe UUID part of the rule is generated using the namespaces `860f4c0f-8c26-5889-b39d-ce94368bc416` and the Sigma Rule `id+pattern_type` (from STIX object).\n\ne.g. namespace = `860f4c0f-8c26-5889-b39d-ce94368bc416` and value = `d9365e39-febd-4a4b-8441-3ca91bb9d333+sigma` = `04f2c0c4-8cc8-5471-a71c-f8b7c0da0c06` = `indicator--04f2c0c4-8cc8-5471-a71c-f8b7c0da0c06`\n\n### Relationships\n\nNote, a Sigma Rules can also contain a `related` property, that links it to another rule. For example,\n\n```yaml\nrelated:\n - id: f305fd62-beca-47da-ad95-7690a0620084\n type: similar\n```\n\nOr an example with two relationships;\n\n```yaml\nrelated:\n - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b\n type: similar\n - id: 75df3b17-8bcc-4565-b89b-c9898acef911\n type: obsoletes\n```\n\nWhere the `related` property with an `id` and `type` is found in a rule (as noted above, could be many), a STIX relationship object is also created to link the two rules as follows;\n\n```json\n{\n \"type\": \"relationship\",\n \"spec_version\": \"2.1\",\n \"id\": \"relationship--\u003cUUIDV5 GENERATION LOGIC\u003e\",\n \"created_by_ref\": \"\u003cIMPORTED IDENTITY\u003e\",\n \"created\": \"\u003cCREATED FIELD OF SOURCE INDICATOR OBJECT\u003e\",\n \"modified\": \"\u003cMODIFIED FIELD OF SOURCE INDICATOR OBJECT\u003e\",\n \"relationship_type\": \"\u003cRELATED.TYPE VALUE\u003e\",\n \"source_ref\": \"indicator--\u003cID OF OBJECT WITH RELATED FIELD\u003e\",\n \"target_ref\": \"indicator--\u003cRELATED FIELD ID\u003e\",\n \"object_marking_refs\": [\n \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\",\n \"\u003cIMPORTED MARKING DEFINITION\u003e\"\n ]\n}\n```\n\nTo generate the id of the SRO, a UUIDv5 is generated using the namespace `860f4c0f-8c26-5889-b39d-ce94368bc416` and `source_ref+target_ref` (e.g, `indicator--0ec4f75f-74c1-4f66-a6d0-f488b20072f1+indicator--4c188857-cbcd-4c76-98e4-90fc2f5a6ddf`) = `13bb8925-d991-551b-bd00-05c45a85df2c` = `relationship--13bb8925-d991-551b-bd00-05c45a85df2c`\n\nNote, in `--mode sigmayaml`, no relationship objects are created.\n\n### Grouping\n\nThe path to each rule (directory structure) also holds some significance, and should be represented as STIX 2.1 Grouping objects.\n\n```json\n{\n \"type\": \"grouping\",\n \"spec_version\": \"2.1\",\n \"id\": \"grouping--\u003cUUID V5\u003e\",\n \"created_by_ref\": \"\u003cIDENTITY IMPORTED\u003e\",\n \"created\": \"\u003cEARLIEST CREATED TIME OF OBJECT IN BUNDLE\u003e\",\n \"modified\": \"\u003cLATEST CREATED TIME OF OBJECT IN BUNDLE\u003e\",\n \"name\": \"\u003cDIRECTORY PATH\u003e\",\n \"context\": \"suspicious-activity\",\n \"object_refs\": [\n \"indicator--\u003cID OF RULE IN DIRECTORY\u003e\",\n \"indicator--\u003cID OF RULE IN DIRECTORY\u003e\"\n ],\n \"object_marking_refs\": [\n \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\",\n \"\u003cIMPORTED MARKING DEFINITION\u003e\"\n ]\n}\n```\n\nTo generate the id of the SRO, a UUIDv5 is generated using the namespace `860f4c0f-8c26-5889-b39d-ce94368bc416` and `name` property. e.g. `rules-threat-hunting/windows/file/file_event` = `c973b2fe-8bc9-5c4a-9172-7ec6542600d7` = `grouping--c973b2fe-8bc9-5c4a-9172-7ec6542600d7`\n\nFor example, this directory path holds 3 rules: https://github.com/SigmaHQ/sigma/tree/master/rules-threat-hunting/windows/file/file_event, and thus 3 `object_refs` would exist in the grouping object representing it.\n\nNote, in `--mode sigmayaml`, no grouping objects are created.\n\n### MITRE ATT\u0026CK\n\nInside some Indicators for Sigma Rules are labels with ATT\u0026CK tags. e.g.\n\n```\n \"labels\": [\n \"attack.T1055\",\n \"attack.T1055.011\",\n \"attack.S0039\"\n ]\n```\n\nThe labels identifying ATT\u0026CKs always start with attack. followed by the ATT\u0026CK ID.\n\nThese are then converted into the ATT\u0026CK ID (e.g. `attack.T1055` -\u003e `T1055`) and looked up using the CTI Butler endpoints;\n\n```shell\nGET /api/v1/attack-enterprise/objects/{attack_id}/\n```\n\nThe objects returned are imported to the final bundle, and then linked to the Indicator object representing the rule as follows;\n\n```json\n{\n \"type\": \"relationship\",\n \"spec_version\": \"2.1\",\n \"id\": \"relationship--\u003cUUID V5 LOGIC\u003e\",\n \"created_by_ref\": \"\u003cIMPORTED IDENTITY OBJECT\u003e\",\n \"created\": \"\u003cindicator.created\u003e\",\n \"modified\": \"\u003cindicator.modified\u003e\",\n \"relationship_type\": \"detects\",\n \"source_ref\": \"indicator--\u003cSIGMA INDICATOR STIX OBJECT\u003e\",\n \"target_ref\": \"\u003cATT\u0026CK STIX OBJECT\u003e\",\n \"description\": \"\u003cSIGMA RULE NAME\u003e \u003crelationship_type without - char\u003e \u003cATT\u0026CK name\u003e\",\n \"object_marking_refs\": [\n \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\",\n \"\u003cMARKING DEFINITION IMPORTED\u003e\"\n ]\n}\n```\n\nTo generate the id of SRO, a UUIDv5 is generated using the namespace `860f4c0f-8c26-5889-b39d-ce94368bc416` and the `relationship_type+source_ref+target_ref` values.\n\n### CVEs\n\nInside some Indicators for Sigma Rules are labels with CVE tags. e.g.\n\n```txt\n \"labels\": [\n \"cve.2021.44228\"\n ]\n```\n\nThe labels identifying CVEs always start with cve. followed by the CVE ID where the - is replaced with a .. e.g. `cve.2021.44228` is refering to `CVE-2021-44228` and looked up using the CTI Butler CVE endpoint;\n\n```shell\nGET /api/v1/cve/objects/{cve_id}/\n```\n\nThe objects returned are imported to the final bundle, and then linked to the Indicator object representing the rule as follows;\n\n```json\n{\n \"type\": \"relationship\",\n \"spec_version\": \"2.1\",\n \"id\": \"relationship--\u003cUUID V5 LOGIC\u003e\",\n \"created_by_ref\": \"\u003cIMPORTED IDENTITY OBJECT\u003e\",\n \"created\": \"\u003cindicator.created\u003e\",\n \"modified\": \"\u003cindicator.modified\u003e\",\n \"relationship_type\": \"detects\",\n \"source_ref\": \"indicator--\u003cSIGMA INDICATOR STIX OBJECT\u003e\",\n \"target_ref\": \"vulnerability--\u003cCVE VULNERABILITY STIX OBJECT\u003e\",\n \"description\": \"\u003cSIGMA RULE NAME\u003e \u003crelationship_type without - char\u003e \u003cCVE name\u003e\",\n \"object_marking_refs\": [\n \"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487\",\n \"\u003cMARKING DEFINITION IMPORTED\u003e\"\n ]\n}\n```\n\nTo generate the id of SRO, a UUIDv5 is generated using the namespace `860f4c0f-8c26-5889-b39d-ce94368bc416` and the `relationship_type+source_ref+target_ref` values.\n\n### Bundle\n\nsigma2stix also creates a STIX 2.1 Bundle JSON object containing all the other STIX 2.1 Objects created at each run. The Bundle takes the format;\n\n```json\n{\n \"type\": \"bundle\",\n \"id\": \"bundle--\u003cUUIDV5 GENERATION LOGIC\u003e\",\n \"objects\": [\n \"\u003cALL STIX JSON OBJECTS\u003e\"\n ]\n}\n```\n\nTo generate the id of the SRO, a UUIDv5 is generated using the namespace `860f4c0f-8c26-5889-b39d-ce94368bc416` and `\u003cMD5 HASH OF THE SORTED OBJECTS PAYLOAD IN BUNDLE JSON\u003e`.\n\n## Backfill old versions\n\nYou can use the following script to get a bundles of rules for every Sigma version published\n\n```shell\nsh utilities/backfill_all.sh\n```\n\nIf you only want the latest version bundle, just run the last line of `utilities/backfill_all.sh` in your terminal.\n\n## Useful supporting tools\n\n* To generate STIX 2.1 Objects: [stix2 Python Lib](https://stix2.readthedocs.io/en/latest/)\n* The STIX 2.1 specification: [STIX 2.1 docs](https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html)\n* [SigmaHQ on GitHub](https://github.com/SigmaHQ)\n\n## Support\n\n[Minimal support provided via the DOGESEC community](https://community.dogesec.com/).\n\n## License\n\n[Apache 2.0](/LICENSE).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuchdogesec%2Fsigma2stix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmuchdogesec%2Fsigma2stix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmuchdogesec%2Fsigma2stix/lists"}