Converting Sigma Rules
Convert Sigma rules to Panther Detections
Overview
Use the sigma-cli
tool to convert Sigma rules into Simple Detections or Python detections.
In security and threat intelligence communities, Sigma rules are a common way to share detection logic in a vendor-agnostic format. This converter makes thousands of Sigma rules available for use in Panther. It also can make it easier to migrate to Panther from another SIEM.
Currently, only rules for certain Panther log sources are supported for conversion.
Installing the tool
To install the tool:
Install
sigma-cli
:On MacOS, you can do so using Homebrew:
brew install sigma-cli
On other platforms, follow these installation instructions.
Run the following command to install the Panther backend and pipelines:
Upgrading the tool
Upgrade
sigma-cli
:On MacOS, run
brew upgrade
.On other platforms, rerun these installation instructions.
Upgrade the plugin by rerunning the installation command:
Using the tool
To use the conversion tool:
Navigate to your local directory of Sigma rules.
Run the conversion command:
The value of the processing pipeline flag (
-p
) differs depending on whether the source is a cloud or endpoint detection and response (EDR) source.Cloud log sources: Use
panther
(default)EDR sources: See options in the
sigma convert
flags table, below
The value of the format flag (
-f
) can be one of the following:python
(default): Generates Python Detectionssdyaml
: Generates Simple Detections
Learn about additional command options in the
sigma convert
flags table, below. See the Usage section of thesigma-cli
README
for additional usage instructions.
Upload the converted rules to Panther using the Panther Analysis Tool or the Bulk Uploader.
Supported conversions
Cloud log sources
All cloud sources use the same conversion command:
EDR log sources
This tool can convert detections for endpoint events from certain EDR sources. These detections are applicable to logs generated in Windows, Mac, and Linux systems.
Currently, the following Sigma log source categories are supported:
process_creation
file_event
network_connection
Note that for EDR sources, the value of the processing pipeline flag (-p
) is unique to each source.
Windows Event
For Windows security logs: windows_audit_panther
For other Windows log types, like PowerShell:
windows_logsource_panther
CrowdStrike example conversion command
sigma convert
flags
sigma convert
flags--target
-t
panther
The Sigma backend to use
--pipeline
-p
panther
(default): for cloud log sources
crowdstrike_panther
carbon_black_panther
sentinelone_panther
The log source pipeline to use
--format
-f
python
(default)
sdyaml
The output format of the converted rules
--skip-unsupported
-s
None
Using this flag is recommended when converting rules in bulk
--backend-option
-O
output_dir=...
The directory in which to save the converted rules
--help
None
None
View the help docs
Last updated