Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Importing Sigma Rules to Azure Sentinel
Published Jun 05 2019 05:02 PM 28.4K Views
Microsoft

The notebook accompanying this article is a quick and dirty Sigma rule to Log Analytics converter. It uses functionality from the sigmac tool to do the conversion.

 

What are Sigma Rules?

Sigma rules are an implementation-independent way of specifying detection signatures for attacker activity. Each rule specifies a data source and a set of conditions that need to be met to satisfy a detection condition. A simple example might be a rule that specifies Windows security events as the source and process name equal to “malware.exe”.

 

Sigma provides converters to render these rules into queries that can be deployed in a security operations environment. For example, the previous logic can be converted into the equivalent rule for Splunk, ArcSight, LogAnalytics/Azure Sentinel, and many others.

 

Sigmac is the python command line tool that performs the conversion, allowing you to specify the target format (backend in Sigma terminology) and configuration and mapping files to help with the conversion. This notebook doesn’t do significantly more than the tool but it does allow interactive browsing and execution of the rules in an Azure Sentinel environment.

This Notebook

The notebook can be found here.

 

The notebook uses sigmac functionality to do conversions into KQL (Log Analytics/Azure Sentinel native query language) but has the following additional features:

  • Downloads the full set of contributed sigma rules from the sigma GitHub repo
  • Allows browsing and display of rules organized by the repo folder structure
  • The browser shows both the original sigma syntax and the converted KQL syntax
  • You can optionally add filter clauses for date range and hostname that are added to the output query.
  • You can execute each rule, specifying a time range if needed, and see the results in the notebook.
  • The conversion copies rule metadata into comments in the target KQL.

 

Downloading Sigma Rules

Enter a path where you want to download the sigma rules and code to. This defaults to a folder named “sigma” in the current directory. The folder will be created if it does not exist. If the folder does exist the download and extraction will overwrite any files with same name – so if you have edited files here, save them somewhere else before executing the cell.

If the download is successful you should see a folder structure like the one show above.

 

Repodownload.png

 

Convert the Rules

The next few cells import the required classes from the sigmac source code, define a few helper functions and then tries to covert each rule in turn and store the results in a python dictionary. Any rules that cannot be converted result in the string “Not convertible” in the output field. For limitations in conversion see the Limitations section at the end of this article.

You can see that the convertible rules are currently predominantly Windows rulesConversion.png

 

Browsing Rules

You can select a category (these are derived from the folder structure) and view the converted KQL if conversion was possible. RuleBrowser.png

 

There are checkboxes to add option filters for specific date ranges and hostname. This is shown in the following screen shot.RuleBrowserDateFilter.png

 

Converted rules can be individually selected and copied from the lower pane and saved in text files.

Executing a Rule

Before you can run a converted rule, you need to authenticate to Azure Sentinel and run a few more cells to define functions used for executing the query.

If you have previously run any of the Azure Sentinel notebooks, you may already have a config.json file containing your Workspace and Tenant IDs. If not, paste your workspace ID into the text box supplied.

 

WorkspaceId.png

 

Executing the next cell and follow the prompts to authenticate. Now you are ready to execute the converted queries.

 

Go back to the browser and the cell below, which contains an Execute query button. Select a query in the browser (obviously, non-convertible rules won’t run in Azure Sentinel) and click the Execute Query button. Unless your environment is very badly infected, you will probably see no results for the majority of these queries. If you have opted to include a date filter you can use the date range selector widget immediately below the Execute query cell to choose the date range. If you do not include a filter the query will run over the default time range for Log Analytics, which is 24 hours.

RunQuery.png

 

Although you may see no results in your environment, executing the queries does at least ensure that the conversion has been successful. You might want to simulate some of the activity in the rules to ensure that you are getting results as expected.

 

Some things to look out for include the use of incorrectly escaped backslash (“\”) in file paths. Braces (“{“ and “}”) embedded in strings may also conflict with the replaceable parameter syntax.

Limitations

Only a subset of the Sigma rules are convertible currently. Failure to convert could be for one or more of these reasons:

  • known limitations of the converter
  • mismatch between the syntax expressible in Sigma and KQL
  • data sources referenced in Sigma rules do not yet exist in Azure Sentinel

Saving All Converted Files

The final section in the notebook allows you to bulk save all successfully converted KQL files.

 

 

Enter a path (or leave the default) and each converted file will be saved into a sub-directory corresponding to the category of the original rule (multi-part paths from the original rules are collapsed into dot-separated folder names).

Warning: when you execute this cell any existing file with a matching name will be overwritten.

 

References

Sigma GitHub

4 Comments
Co-Authors
Version history
Last update:
‎Sep 07 2022 11:08 AM
Updated by: