R&D on Sigma Github for automatic tools Sigma rule conversaion

[lota-1234]

https://github.com/SigmaHQ/sigma https://github.com/SigmaHQ/pySigma https://github.com/SigmaHQ/sigma-cli

Initilally R&D the find how to create automation to convert rules in datalaiQ query

[mushfiqul-islam]

These tools are combined together to create the sigma cli version: https://github.com/SigmaHQ/pySigma https://github.com/SigmaHQ/cookiecutter-pySigma-backend https://github.com/SigmaHQ/sigma-cli

Splunk Sigma rule converter: https://github.com/SigmaHQ/pySigma-backend-splunk

[mushfiqul-islam]

When we pull the github sigma-cli and prepare the environment it automatically downloads pysigma. To convert a to a specific tools query like Splunk: We first have to install pySigma-backend-splunk. Then with the help of this sigma-cli generates queries for splunk. Also to convert a query from other rules to lets say splunk, we also need to pysigma converter of that tools. For example: If we want to convert a sysmon yml file to splunk we also need the splunk to sigma converter.

[mushfiqul-islam]

According to my discussion with DatalaiQ team and my observance, we have to build a pySigma-backend-datalaiq which will do the query conversion with the help of pysigma. pySigma-backend-datalaiq will perform all the query related matching and conversion. If we want to publish the backend to sigma, we first need to register it on pypl. Then Ask the SigmaHQ project maintainers to host the backend within the SigmaHQ organization and take care of the PyPI release.

[mushfiqul-islam]

Here is an example of splunk query and its corresponding DatalaiQ query:

splunk: IntegrityLevel="System" User IN ("AUTHORI", "AUTORI") Image IN ("\calc.exe", "\wscript.exe", "\cscript.exe", "\hh.exe", "\mshta.exe", "\forfiles.exe", "\ping.exe") OR CommandLine IN (" -NoP ", " -W Hidden ", " -decode ", " /decode ", " /urlcache ", " -urlcache ", " -e JAB", " -e SUVYI", " -e SQBFAFgA", " -e aWV4I", " -e IAB", " -e PAA", " -e aQBlAHgA", "vssadmin delete shadows", "reg SAVE HKLM", " -ma ", "Microsoft\Windows\CurrentVersion\Run", ".downloadstring(", ".downloadfile(", " /ticket:", "dpapi::", "event::clear", "event::drop", "id::modify", "kerberos::", "lsadump::", "misc::", "privilege::", "rpc::", "sekurlsa::", "sid::", "token::", "vault::cred", "vault::list", " p::d ", ";iex(", "MiniDump", "net user ")

datalaiq: tag=system_integrity json IntegrityLevel=="System" User in ["AUTHORI", "AUTORI"] Image in ["\calc.exe", "\wscript.exe", "\cscript.exe", "\hh.exe", "\mshta.exe", "\forfiles.exe", "\ping.exe"] or CommandLine in [" -NoP ", " -W Hidden ", " -decode ", " /decode ", " /urlcache ", " -urlcache ", " -e JAB", " -e SUVYI", " -e SQBFAFgA", " -e aWV4I", " -e IAB", " -e PAA", " -e aQBlAHgA", "vssadmin delete shadows", "reg SAVE HKLM", " -ma ", "Microsoft\Windows\CurrentVersion\Run", ".downloadstring(", ".downloadfile(", " /ticket:", "dpapi::", "event::clear", "event::drop", "id::modify", "kerberos::", "lsadump::", "misc::", "privilege::", "rpc::", "sekurlsa::", "sid::", "token::", "vault::cred", "vault::list", " p::d ", ";iex(", "MiniDump", "net user "] | table IntegrityLevel User Image CommandLine

[mushfiqul-islam]

Here is the documentation: pySigma Documentation