Forum Discussion
Sigma rules into content gallery
You may need the content Hub APIs to do this at scale? Content Template - Install - REST API (Azure Sentinel) | Microsoft Learn
You can also tools like https://uncoder.io/ to convert
- Sigma --> Rule, or
- Sigma --> YAML
and store in your own GitHub? Just copy&paste and then [translate]
You may need the content Hub APIs to do this at scale? Content Template - Install - REST API (Azure Sentinel) | Microsoft Learn
You can also tools like https://uncoder.io/ to convert
- Sigma --> Rule, or
- Sigma --> YAML
and store in your own GitHub? Just copy&paste and then [translate]
I finally got this working as a sort of prototype.
Gotchas are:- If the rule you put in is malformed in some ways then it can result in ALL templates being missing from Sentinel Web GUI. They are there, just invisible. In my case i had forgotten the -depth parameter to my ConvertTo-Json for the API payload
- When you use the API to delete the offending Template which has broken everything, it gives you a 404, even when it successfully deletes the Template. Luckily after that everything reappeared.
- The doco is woeful and I couldn't find anyone having used this API in all my googling. For example, properties.lastPublishDate is listed as a string, but it wont accept 2022/02/12, but will accept 2022-02-12. So clearly there is some input validation going on.
- Speaking of input validation. It is very hit and miss. If you mess up anything in the embedded ARM template, the API just accepts it with a 200, but the resulting template can screw everything up (see 1 above), or just be missing (not to self Scheduled != Scheuled)
Obviously you are limited to the detections that there is a working sigma backend for, but there are over 2000+ rules available which should work at https://github.com/SigmaHQ/sigma/tree/master/rules/windows
Thanks Clive. This might just be what I was looking for.
