Feb 22 2024 04:30 PM
Hello Community!
I have been trying to work out a nice way to convert sigma rules available here:
sigma/rules at master · SigmaHQ/sigma (github.com)
Which are compatible with the microsoft365defener backend into analytic rules in Sentinel.
After thinking it through for a while, it seems a much more sensible approach to convert these into rule templates. However it seems that the only way to get rule templates in is via the content gallery. Is that correct?
Before I embark on contributing a large pack of analytic rule templates it makes me wonder why this hasn't been done already by someone more capable and enthusiastic than I am, but I can't find much in the way of this.
It seems like all the pieces are there, so surely I can't be the first one to have this thought. Can anyone point me to something I am missing?
Cheers,
Jeremy.
Feb 23 2024 08:25 AM
Solution
You may need the content Hub APIs to do this at scale? Content Template - Install - REST API (Azure Sentinel) | Microsoft Learn
You can also tools like https://uncoder.io/ to convert
- Sigma --> Rule, or
- Sigma --> YAML
and store in your own GitHub? Just copy&paste and then [translate]
Feb 23 2024 02:39 PM
Thanks Clive. This might just be what I was looking for.
Feb 28 2024 09:56 PM
I finally got this working as a sort of prototype.
Gotchas are:
Obviously you are limited to the detections that there is a working sigma backend for, but there are over 2000+ rules available which should work at SigmaHQ
Feb 23 2024 08:25 AM
Solution
You may need the content Hub APIs to do this at scale? Content Template - Install - REST API (Azure Sentinel) | Microsoft Learn
You can also tools like https://uncoder.io/ to convert
- Sigma --> Rule, or
- Sigma --> YAML
and store in your own GitHub? Just copy&paste and then [translate]