https://github.com/marirs/sigma-convert

Convert Sigma Rules to different formats
https://github.com/marirs/sigma-convert

rust-crate rust-lang sigma sigma-convert sigma-rules

Last synced: 2 months ago
JSON representation

Convert Sigma Rules to different formats

• Host: GitHub
• URL: https://github.com/marirs/sigma-convert
• Owner: marirs
• License: mit
• Created: 2023-07-11T08:57:17.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2024-08-12T10:12:08.000Z (5 months ago)
• Last Synced: 2024-08-12T11:35:49.608Z (5 months ago)
• Topics: rust-crate, rust-lang, sigma, sigma-convert, sigma-rules
• Language: Rust
• Homepage: https://www.sigmac.to
• Size: 35.7 MB
• Stars: 8
• Watchers: 3
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# SIGMA CONVERT

This project draws inspiration from SigmaHQ for the opensource Sigma Rules. 

`Sigma Convert` can convert Sigma Rules to the following destination types. It can convert

a single sigma rule file or a folder of sigma rule files. There is also an API Server available,

so you can run an API Server to do conversions using Microservices.

### Test it

Convertor: [https://www.sigmac.to](https://www.sigmac.to)  

API Docs: [https://www.sigmac.to/docs](https://www.sigmac.to/docs)

### Supported Conversions.

The currently supported backends are:

   - ElastAlert

   - HumioAlert

   - Kibana

   - Qradar

   - Splunk

   - ArcSight

   - Chronicle

   - Devo

   - LogRhythm

   - KafkaSQL

   - AWS OpenSearch

   - DNIF

   - GrayLog

   - SQL

   - SQLite

   - Secronix

   - Sentinel

   - Snowflake

   - Sumo Logic

### Help

```bash

$ ./sigmac --help

This is the Sigma command line interface to convert Sigma rules into query languages.

Usage: sigmac [OPTIONS] --dest-type 

Options:

  -s, --source-type 

          The source target to convert from [default: sigma]

  -t, --dest-type 

          The target type to convert to, could be arcsight, quradar, elastalert

  -f, --file-source 

          The source file to convert

  -d, --dir-source 

          The source dir to recursively convert

  -m, --mappings-file 

          The mappings.txt file for the current backend

      --keep-fields 

          Keep the following list of fields in the sigma rule(comma separated). Eg "title, author, tags". `Note: This only applies to the ElastAlert dest_type`

      --replace-fields 

          Replace the following list of K:V fields in the elastalert rule (comma separated). Eg "index: tid1452-*". `Note: This only applies to the ElastAlert dest_type`

      --add-alerting 

          Add an alerting mode to the list in the elastalert rule. `Note: This only applies to the ElastAlert dest_type`

      --add-fields 

          Add extra fields in the elastalert rule if required. `Note: This only applies to the ElastAlert dest_type`

  -h, --help

          Print help

  -V, --version

          Print version

```

### Example Usage

- Convert a simple Sigma Rule to ElastAlert

```bash

$ ./sigmac --source-type sigma --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml 

Converting the sigma rule in ../sigmarules/T1089- Defense evasion  - Disabling Security Tools.yml...

SUCCESS: Converted the sigma rule in ../sigmarules/T1089- Defense evasion  - Disabling Security Tools.yml to elastalert.

Output File: "~/Documents/output/elastalert_T1089- Defense evasion  - Disabling Security Tools.yml"

```

- Convert a simple Sigma Rule to ElastAlert and keep certain fields in the ElastAlert output

```bash

$ ./sigmac --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml --keep-fields name,tags,impact

```

- Convert a simple Sigma Rule to ElastAlert and change/replace field values

```bash

$ ./sigmac --source-type sigma --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml --replace-fields "index: newindex*"

```

- Convert a simple Sigma Rule to ElastAlert and add new fields

```bash

$ ./sigmac --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml --add-fields "xyz=new_field1, abc=new_field2"

```

- Convert a simple Sigma Rule to ElastAlert and add new alerting other than debug

```bash

$ ./sigmac --dest-type elastalert --file-source ../sigmarules/T1089-\ Defense\ evasion\ \ -\ Disabling\ Security\ Tools.yml --add-alerting "Some.New.Alerting"

```

- Convert a simple Sigma Rule to a destination along with Field Mapping file.

Use-case Scenario: Typically, Sigma Rule YML Files are defaulted with assumed keys.

Here you can pass a field mapping file so that you can replace the default keys to match the keys for your environment.

```bash

$ ./sigmac  --source-type  --dest-type  --file-source  --mappings_file 

```

- Convert a batch of Sigma files from a folder to ElastAlert

```bash

$ ./sigmac --source-type sigma --dest-type elastalert --dir-source ../sigmarules 

```

### Authors

Sriram 

### License

- MIT