Forum Discussion
Solved
Sigma rules into content gallery
Hello Community!
I have been trying to work out a nice way to convert sigma rules available here:
sigma/rules at master · SigmaHQ/sigma (github.com)
Which are compatible with the microsoft365defener backend into analytic rules in Sentinel.
After thinking it through for a while, it seems a much more sensible approach to convert these into rule templates. However it seems that the only way to get rule templates in is via the content gallery. Is that correct?
Before I embark on contributing a large pack of analytic rule templates it makes me wonder why this hasn't been done already by someone more capable and enthusiastic than I am, but I can't find much in the way of this.
It seems like all the pieces are there, so surely I can't be the first one to have this thought. Can anyone point me to something I am missing?
Cheers,
Jeremy.
You may need the content Hub APIs to do this at scale? Content Template - Install - REST API (Azure Sentinel) | Microsoft Learn
You can also tools like https://uncoder.io/ to convert
- Sigma --> Rule, or
- Sigma --> YAML
and store in your own GitHub? Just copy&paste and then [translate]
You may need the content Hub APIs to do this at scale? Content Template - Install - REST API (Azure Sentinel) | Microsoft Learn
You can also tools like https://uncoder.io/ to convert
- Sigma --> Rule, or
- Sigma --> YAML
and store in your own GitHub? Just copy&paste and then [translate]I finally got this working as a sort of prototype.
Gotchas are:- If the rule you put in is malformed in some ways then it can result in ALL templates being missing from Sentinel Web GUI. They are there, just invisible. In my case i had forgotten the -depth parameter to my ConvertTo-Json for the API payload
- When you use the API to delete the offending Template which has broken everything, it gives you a 404, even when it successfully deletes the Template. Luckily after that everything reappeared.
- The doco is woeful and I couldn't find anyone having used this API in all my googling. For example, properties.lastPublishDate is listed as a string, but it wont accept 2022/02/12, but will accept 2022-02-12. So clearly there is some input validation going on.
- Speaking of input validation. It is very hit and miss. If you mess up anything in the embedded ARM template, the API just accepts it with a 200, but the resulting template can screw everything up (see 1 above), or just be missing (not to self Scheduled != Scheuled)
Obviously you are limited to the detections that there is a working sigma backend for, but there are over 2000+ rules available which should work at SigmaHQ
Thanks Clive. This might just be what I was looking for.
