Sigma Backends
Sigma backends are the "drivers" of the Sigma conversion process, and implements the conversion capability that converts each Sigma rule file into a SIEM compatible query.
The newly developed pySigma framework provides an API for each Sigma backend to perform conversion, transformation and formatting of every Sigma rules.
Developing a backend for the Sigma ecosystem
If developing a pySigma backend interests you in bringing Sigma support your SIEM language, first ensure one isn't already available on GitHub.
Still the best guide on how to create a pySigma compatible backend is Micah Babinski's Blog Post on Creating a Sigma Backend for Fun (and no Profit). We're working hard on writing an official guide for this, but until then, a big thank you to Micah for writing this guide.
Working with Backends
To investigate available pySigma backends that you can use, ensure you have the sigma-cli
tool installed, then run the following commands to view all available backends in a table.
sigma plugin list -t backend
+----------------------+---------+---------+--------------------------------------------------------------+
| Identifier | Type | State | Description |
+----------------------+---------+---------+--------------------------------------------------------------+
| splunk | backend | stable | Splunk backend for conversion into SPL and tstats data model |
| insightidr | backend | stable | Rapid7 InsightIDR backend that generates LEQL queries. |
| qradar | backend | stable | IBM QRadar backend for conversion into AQL and extension |
| ... | ... | ... | ... |
+----------------------+---------+---------+--------------------------------------------------------------+
Once you've found the Sigma backend you want to use, you can install it using the sigma plugin install
command.
sigma plugin install splunk
If you for whatever reason need to remove a Sigma plugin, you can also uninstall it using the same method.
sigma plugin uninstall splunk
Components
The sigma
CLI (powered by pySigma) also allows backends to do more with their conversion process, including providing added output formats, such as Splunk Saved Search format for the Splunk pySigma backend.
For every backend, there exist 4 components – that perform or aid the conversion process.
Targets
Targets represent the type of query language you want to output the Sigma format in. This will usually be mapped one-to-one with every SIEM product.
# List all locally available Sigma backends
sigma list targets
Make sure to install plugins
If you're not seeing any available targets, make sure you install the relevant Sigma plugin for your target SIEM. For a full list of installable backends, click here to view all Available Backends.
# List available Sigma plugins
sigma plugin list
# Install the desired plugin
sigma plugin install {plugin}
"TODO Finish this section off "
Output Formats
To explore Output Formats in more detail, start by listing the available Output Formats by running the following command:
sigma list formats {backend}
+---------------+----------------------------------------+
| Format | Description |
+---------------+----------------------------------------+
| default | Plain SIEM Queries |
| file_format | Plain SIEM Queries in file_format.conf |
| macro_exam | Completely different SIEM Format |
+---------------+----------------------------------------+
Once you've found which output format works best for your conversion workflows, you can invoke it over the command line like so.
sigma convert -t {target} -f {output_format} ./rules
Pipelines
WIPPipelines are the method by which pySigma allows fine-tuning to be applied to conversion. This documentation outlines what pipelines are, and how to use them in more detail over on the Pipelines documentation page.
Pipelines control things like field-mapping (mapping Sigma fields, to fields within your SIEM), logsource mapping (mapping Sigma logsources to logsources in your SIEM) & other operations.
To view all available pipelines – that are provided specifically by the backend, you can run sigma list pipelines
.
sigma list pipelines
You can specify multiple pipelines when converting Sigma rules, to perform more than one operation on
Validators
To explore Validators in more detail, start by listing the available Validators by running the following command:
sigma list validators
Available Plugin
Below is a list of available Sigma Backends and Pipelines. If you come across any issues using any specific Sigma plugin, file an issue on the relevant Sigma Plugin's project page.
Azure Log Analytics Socprime
DevelopmentAzure Log Analytics backend with Windows log support maintained by SOC Prime.
Project Website | File an Issue# Run the following to install the Azure Log Analytics Socprime backend into Sigma CLI.
sigma plugin install ala-socprime
CarbonBlack
StableCarbon Black backend that supports queries for both Enterprise EDR (fka Threat Hunter) and EDR (fka Response)
Project Website | File an Issue# Run the following to install the CarbonBlack backend into Sigma CLI.
sigma plugin install carbonblack
CortexXDR
StableCortex XDR backend that generates XQL queries.
Project Website | File an Issue# Run the following to install the CortexXDR backend into Sigma CLI.
sigma plugin install cortexxdr
Datadog
TestingDatadog Cloud SIEM backend and pipeline for conversion of log sources to Datadog Query Syntax
Project Website | File an Issue# Run the following to install the Datadog backend into Sigma CLI.
sigma plugin install datadog
Dictquery
StableDictQuery backend to convert sigma to dictquery query strings
Project Website | File an Issue# Run the following to install the Dictquery backend into Sigma CLI.
sigma plugin install dictquery
Elasticsearch
StableElasticsearch backend converting into Lucene, ES|QL (with correlations) and EQL queries, plain, embedded into DSL or as Kibana NDJSON.
Project Website | File an Issue# Run the following to install the Elasticsearch backend into Sigma CLI.
sigma plugin install elasticsearch
Hawk
TestingHAWK.io MDR backend and pipeline for conversion of log sources to HAWK.io BETree queries.
Project Website | File an Issue# Run the following to install the Hawk backend into Sigma CLI.
sigma plugin install hawk
IBM QRadar AQL
StableIBM QRadar backend for conversion into AQL queries. Contains mappings for fields and logsources
Project Website | File an Issue# Run the following to install the IBM QRadar AQL backend into Sigma CLI.
sigma plugin install ibm-qradar-aql
InsightIDR
StableRapid7 InsightIDR backend that generates LEQL queries.
Project Website | File an Issue# Run the following to install the InsightIDR backend into Sigma CLI.
sigma plugin install insightidr
Loki
StableLoki backend for conversion into Loki LogQL queries (plain and ruler YAML for alerts) and pipelines with mappings for Grafana and promtail Sysmon data.
Project Website | File an Issue# Run the following to install the Loki backend into Sigma CLI.
sigma plugin install loki
Microsoft 365 Defender
StableMicrosoft 365 Defender (formally mdatp) backend and pipeline for conversion of log sources with Sysmon field schema to Microsoft Advanced Hunting Queries in Kusto Query Language (KQL)
Project Website | File an Issue# Run the following to install the Microsoft 365 Defender backend into Sigma CLI.
sigma plugin install microsoft365defender
OpenSearch
StableOpensearch backend converting into Lucene queries and Opensearch alerting rules.
Project Website | File an Issue# Run the following to install the OpenSearch backend into Sigma CLI.
sigma plugin install opensearch
Panther
DevelopmentPanther sdyaml backend
Project Website | File an Issue# Run the following to install the Panther backend into Sigma CLI.
sigma plugin install panther
PowerShell
TestingPowerShell backend converting into PowerShell queries.
Project Website | File an Issue# Run the following to install the PowerShell backend into Sigma CLI.
sigma plugin install powershell
QRadar
StableIBM QRadar backend for conversion into AQL and extension packages.
Project Website | File an Issue# Run the following to install the QRadar backend into Sigma CLI.
sigma plugin install qradar
Quickwit
DevelopmentQuickwit Backend
Project Website | File an Issue# Run the following to install the Quickwit backend into Sigma CLI.
sigma plugin install quickwit
SentinelOne
StableSentinelOne backend that generates Deep Visibility queries.
Project Website | File an Issue# Run the following to install the SentinelOne backend into Sigma CLI.
sigma plugin install sentinelone
SentinelOne PowerQuery
StableSentinelOne backend that generates PowerQuery queries.
Project Website | File an Issue# Run the following to install the SentinelOne PowerQuery backend into Sigma CLI.
sigma plugin install sentinelone-pq
Splunk
StableSplunk backend for conversion into SPL and tstats data model queries as plain queries and savedsearches.conf
Project Website | File an Issue# Run the following to install the Splunk backend into Sigma CLI.
sigma plugin install splunk
Sqlite
TestingSQLite and Zircolite backend
Project Website | File an Issue# Run the following to install the Sqlite backend into Sigma CLI.
sigma plugin install sqlite
Stix
DevelopmentSTIX backend converting into plain STIX queries. Contains mappings for STIX 2.0 and STIX Shifter taxonomies.
Project Website | File an Issue# Run the following to install the Stix backend into Sigma CLI.
sigma plugin install stix
Trellix Helix
DevelopmentTrellix Helix Backend
Project Website | File an Issue# Run the following to install the Trellix Helix backend into Sigma CLI.
sigma plugin install trellix_helix
Uberagent
StableuberAgent backend
Project Website | File an Issue# Run the following to install the Uberagent backend into Sigma CLI.
sigma plugin install uberagent