Converting Sigma Rules

Convert Sigma rules to Panther Detections

Overview

Use the sigma-cli tool to convert Sigma rules into Simple Detections or Python detections.

In security and threat intelligence communities, Sigma rules are a common way to share detection logic in a vendor-agnostic format. This converter makes thousands of Sigma rules available for use in Panther. It also can make it easier to migrate to Panther from another SIEM.

Currently, only rules for certain Panther log sources are supported for conversion.

Installing the tool

To install the tool:

  1. Install sigma-cli:

  2. Run the following command to install the Panther backend and pipelines:

    sigma plugin install panther

Upgrading the tool

  1. Upgrade sigma-cli:

  2. Upgrade the plugin by rerunning the installation command:

    sigma plugin install panther

Using the tool

To use the conversion tool:

  1. Navigate to your local directory of Sigma rules.

  2. Run the conversion command:

    sigma convert -s -t panther -f <format> -p <processing pipeline> path/to/rules -O output_dir=output/directory
  3. Upload the converted rules to Panther using the Panther Analysis Tool or the Bulk Uploader.

Supported conversions

Cloud log sources

All cloud sources use the same conversion command:

sigma convert -s -t panther path/to/rules -O output_dir=output/directory
Source name
Supported Panther schema(s)

EDR log sources

This tool can convert detections for endpoint events from certain EDR sources. These detections are applicable to logs generated in Windows, Mac, and Linux systems.

Currently, the following Sigma log source categories are supported:

  • process_creation

  • file_event

  • network_connection

Note that for EDR sources, the value of the processing pipeline flag (-p) is unique to each source.

Source name
Supported Panther schema(s)
-p flag value

CrowdStrike

crowdstrike_panther

Carbon Black

carbon_black_panther

SentinelOne

sentinelone_panther

Windows Event

For Windows security logs: windows_audit_panther For other Windows log types, like PowerShell: windows_logsource_panther

CrowdStrike example conversion command

sigma convert -s -t panther -p crowdstrike_panther path/to/rules -O output_dir=output/directory

sigma convert flags

Long name
Short flag
Options
Description

--target

-t

panther

The Sigma backend to use

--pipeline

-p

panther (default): for cloud log sources crowdstrike_panther carbon_black_panther sentinelone_panther

The log source pipeline to use

--format

-f

python (default) sdyaml

The output format of the converted rules

--skip-unsupported

-s

None

Using this flag is recommended when converting rules in bulk

--backend-option

-O

output_dir=...

The directory in which to save the converted rules

--help

None

None

View the help docs

Last updated