[English] | [日本語]
Sigma rules have already been pre-converted to hayabusa format with this tool and placed in Hayabusa's ./rules/sigma
directory.
Please refer to this documentation to convert rules on your own for local testing, using the latest rules, etc...
To run this script, Poetry is required. Please refer to the official documentation for Poetry installation at the following link: https://python-poetry.org/docs/#installation
https://github.com/SigmaHQ/sigma
sigma-to-hayabusa-converter.py
is a tool to convert the logsource
field of Sigma rules to Hayabusa format.
Since Hayabusa
at the moment does not support logsource
for filtering on Channel
and EventID
fields and rewriting field names when necessary, we use the following yaml
mapping files to convert the contents of logsource
to the detection
and condition
fields.
The following Sigma rules are converted to the following two Hayabusa formats after running sigma-to-hayabusa-converter.py
.
Sigma rule:
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '.exe'
detection: selection
Hayabusa rule (for Sysmon rules):
logsource:
category: process_creation
product: windows
detection:
process_creation:
Channel: Microsoft-Windows-Sysmon/Operational
EventID: 1
selection:
- Image|endswith: '.exe'
detection: process_creation and selection
Hayabusa rule (for Windows built-in rules)
logsource:
category: process_creation
product: windows
detection:
process_creation:
Channel: Security
EventID: 4688
selection:
- NewProcessName|endswith: '.exe'
detection: process_creation and selection
git clone https://github.com/SigmaHQ/sigma.git
git clone https://github.com/Yamato-Security/sigma-to-hayabusa-converter.git
cd sigma-to-hayabusa-converter
poetry install --no-root
poetry run python sigma-to-hayabusa-converter.py -r ../sigma -o ./converted_sigma_rules
After executing the commands above, the rules converted to Hayabusa format will be output to the ./converted_sigma_rules
directory.