Links

Converting Sigma Rules

Convert Sigma rules to Simple Detections

Overview

The Sigma rule converter is in open beta, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
You can use the sigma-cli tool to convert Sigma rules into YAML Detections (also known as Simple Detections). In security and threat intelligence communities, Sigma rules are a common way to share detection logic in a vendor-agnostic format. This converter makes thousands of Sigma rules available for use in Panther. It also can make it easier to migrate to Panther from another SIEM.
Currently, only rules for certain Panther log sources are supported for conversion.

Installing the tool

To install the tool:
  1. 1.
    Follow the installation instructions for sigma-cli.
  2. 2.
    Run the following command to install the Panther backend and pipelines:
    sigma plugin install panther_sdyaml

Upgrading the tool

  • To upgrade the tool, rerun the installation command:
    sigma plugin install panther_sdyaml

Using the tool

To use the conversion tool:
  1. 1.
    Navigate to your local directory of Sigma rules.
  2. 2.
    Run the conversion command:
    sigma convert -s -t panther_sdyaml -p <processing pipeline> path/to/rules -O output_dir=output/directory
  3. 3.
    Upload the converted rules to Panther using the Panther Analysis Tool or the Bulk Uploader.

Supported conversions

Cloud log sources

All cloud sources use the same conversion command:
sigma convert -s -t panther_sdyaml -p panther_sdyaml path/to/rules -O output_dir=output/directory
Source name
Supported Panther schema(s)
AWS CloudTrail
GitHub
Okta

EDR log sources

This tool can convert detections for endpoint events from certain EDR sources. These detections are applicable to logs generated in Windows, Mac, and Linux systems.
Currently, the following Sigma log source categories are supported:
  • process_creation
  • file_event
  • network_connection
Note that for EDR sources, the value of the processing pipeline flag (-p) is unique to each source.
Source name
Supported Panther schema(s)
Example conversion command
CrowdStrike
sigma convert -s -t panther_sdyaml -p crowdstrike_panther path/to/rules -O output_dir=output/directory
Carbon Black
sigma convert -s -t panther_sdyaml -p carbon_black_panther path/to/rules -O output_dir=output/directory