cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Sigma rules into content gallery

jeremyhAUS
Brass Contributor

‎Feb 22 2024 04:30 PM

‎Feb 22 2024 04:30 PM

Sigma rules into content gallery

Hello Community!

 

I have been trying to work out a nice way to convert sigma rules available here:

sigma/rules at master · SigmaHQ/sigma (github.com)

Which are compatible with the microsoft365defener backend into analytic rules in Sentinel.

 

After thinking it through for a while, it seems a much more sensible approach to convert these into rule templates. However it seems that the only way to get rule templates in is via the content gallery. Is that correct?

 

Before I embark on contributing a large pack of analytic rule templates it makes me wonder why this hasn't been done already by someone more capable and enthusiastic than I am, but I can't find much in the way of this.

 

It seems like all the pieces are there, so surely I can't be the first one to have this thought. Can anyone point me to something I am missing?

 

Cheers,

Jeremy.

450 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by jeremyhAUS (Brass Contributor)
Clive_Watson

‎Feb 23 2024 08:25 AM

‎Feb 23 2024 08:25 AM

Solution

Re: Sigma rules into content gallery

@jeremyhAUS 

 

You may need the content Hub APIs to do this at scale?  Content Template - Install - REST API (Azure Sentinel) | Microsoft Learn

You can also tools like https://uncoder.io/ to convert
- Sigma --> Rule, or
- Sigma --> YAML
and store in your own GitHub?   Just copy&paste and then [translate]
Screenshot 2024-02-23 161558.png

0 Likes
Reply
jeremyhAUS

‎Feb 23 2024 02:39 PM

‎Feb 23 2024 02:39 PM

Re: Sigma rules into content gallery

Thanks Clive. This might just be what I was looking for.

0 Likes
Reply
jeremyhAUS

‎Feb 28 2024 09:56 PM

‎Feb 28 2024 09:56 PM

Re: Sigma rules into content gallery

@Clive_Watson 

I finally got this working as a sort of prototype.
Gotchas are:

  1. If the rule you put in is malformed in some ways then it can result in ALL templates being missing from Sentinel Web GUI. They are there, just invisible. In my case i had forgotten the -depth parameter to my ConvertTo-Json for the API payload
  2. When you use the API to delete the offending Template which has broken everything, it gives you a 404, even when it successfully deletes the Template. Luckily after that everything reappeared.
  3. The doco is woeful and I couldn't find anyone having used this API in all my googling. For example, properties.lastPublishDate is listed as a string, but it wont accept 2022/02/12, but will accept 2022-02-12. So clearly there is some input validation going on.
  4. Speaking of input validation. It is very hit and miss. If you mess up anything in the embedded ARM template, the API just accepts it with a 200, but the resulting template can screw everything up (see 1 above), or just be missing (not to self Scheduled != Scheuled)

Obviously you are limited to the detections that there is a working  sigma backend for, but there are over 2000+ rules available which should work at SigmaHQ

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by jeremyhAUS (Brass Contributor)
Clive_Watson

‎Feb 23 2024 08:25 AM

‎Feb 23 2024 08:25 AM

Solution

Re: Sigma rules into content gallery

@jeremyhAUS 

 

You may need the content Hub APIs to do this at scale?  Content Template - Install - REST API (Azure Sentinel) | Microsoft Learn

You can also tools like https://uncoder.io/ to convert
- Sigma --> Rule, or
- Sigma --> YAML
and store in your own GitHub?   Just copy&paste and then [translate]
Screenshot 2024-02-23 161558.png

View solution in original post

0 Likes
Reply