Last updated
Was this helpful?
Last updated
Was this helpful?
Use the tool to convert into or .
In security and threat intelligence communities, Sigma rules are a common way to share detection logic in a vendor-agnostic format. This converter makes thousands of Sigma rules available for use in Panther. It also can make it easier to migrate to Panther from another SIEM.
Currently, only rules for are supported for conversion.
To install the tool:
Install sigma-cli
:
On MacOS, you can do so using Homebrew:
brew install sigma-cli
On other platforms, follow .
Run the following command to install the Panther backend and pipelines:
Upgrade sigma-cli
:
On MacOS, run brew upgrade
.
On other platforms, rerun .
Upgrade the plugin by rerunning the installation command:
To use the conversion tool:
Navigate to your local directory of Sigma rules.
Run the conversion command:
Cloud log sources: Use panther
(default)
The value of the format flag (-f
) can be one of the following:
All cloud sources use the same conversion command:
This tool can convert detections for endpoint events from certain EDR sources. These detections are applicable to logs generated in Windows, Mac, and Linux systems.
Currently, the following Sigma log source categories are supported:
process_creation
file_event
network_connection
Note that for EDR sources, the value of the processing pipeline flag (-p
) is unique to each source.
sigma convert
flagsThe value of the processing pipeline flag (-p
) differs depending on whether the source is a or source.
EDR sources: See options in the table, below
python
(default): Generates
sdyaml
: Generates
Learn about additional command options in the table, below. See the for additional usage instructions.
Upload the converted rules to Panther using the or the .
AWS CloudTrail
GCP Audit
GitHub
Okta
CrowdStrike
crowdstrike_panther
Carbon Black
carbon_black_panther
SentinelOne
sentinelone_panther
Windows Event
For Windows security logs: windows_audit_panther
For other Windows log types, like PowerShell:
windows_logsource_panther
--target
-t
panther
The Sigma backend to use
--pipeline
-p
panther
(default): for cloud log sources
crowdstrike_panther
carbon_black_panther
sentinelone_panther
The log source pipeline to use
--format
-f
python
(default)
sdyaml
The output format of the converted rules
--skip-unsupported
-s
None
Using this flag is recommended when converting rules in bulk
--backend-option
-O
output_dir=...
The directory in which to save the converted rules
--help
None
None
View the help docs
Convert Sigma rules to Panther Detections