Converting Sigma Rules

Convert Sigma rules to Panther Detections

Overview

Use the sigma-cli tool to convert Sigma rules into Simple Detections or Python detections.

In security and threat intelligence communities, Sigma rules are a common way to share detection logic in a vendor-agnostic format. This converter makes thousands of Sigma rules available for use in Panther. It also can make it easier to migrate to Panther from another SIEM.

Currently, only rules for certain Panther log sources are supported for conversion.

Installing the tool

To install the tool:

Install sigma-cli:
- On MacOS, you can do so using Homebrew: brew install sigma-cli
- On other platforms, follow these installation instructions.
Run the following command to install the Panther backend and pipelines:
```
sigma plugin install panther
```

Upgrading the tool

Upgrade sigma-cli:
- On MacOS, run brew upgrade.
- On other platforms, rerun these installation instructions.
Upgrade the plugin by rerunning the installation command:
```
sigma plugin install panther
```

Using the tool

To use the conversion tool:

Navigate to your local directory of Sigma rules.
Run the conversion command:
```
sigma convert -s -t panther -f <format> -p <processing pipeline> path/to/rules -O output_dir=output/directory
```
- The value of the processing pipeline flag (-p) differs depending on whether the source is a cloud or endpoint detection and response (EDR) source.
  - Cloud log sources: Use panther (default)
  - EDR sources: See options in the sigma convert flags table, below
- The value of the format flag (-f) can be one of the following:
  - python (default): Generates Python Detections
  - sdyaml: Generates Simple Detections
- Learn about additional command options in the sigma convert flags table, below. See the Usage section of the sigma-cli README for additional usage instructions.
Upload the converted rules to Panther using the Panther Analysis Tool or the Bulk Uploader.

Supported conversions

Cloud log sources

All cloud sources use the same conversion command:

sigma convert -s -t panther path/to/rules -O output_dir=output/directory

Source name

Supported Panther schema(s)

AWS CloudTrail

GCP Audit

GitHub

Okta

EDR log sources

This tool can convert detections for endpoint events from certain EDR sources. These detections are applicable to logs generated in Windows, Mac, and Linux systems.

Currently, the following Sigma log source categories are supported:

process_creation
file_event
network_connection

Note that for EDR sources, the value of the processing pipeline flag (-p) is unique to each source.

Source name

Supported Panther schema(s)

-p flag value

CrowdStrike

Crowdstrike.FDREvent

crowdstrike_panther

Carbon Black

CarbonBlack.EndpointEvent

carbon_black_panther

SentinelOne

SentinelOne.DeepVisibilityV2

sentinelone_panther

Windows Event

Windows.EventLogs

For Windows security logs: windows_audit_panther For other Windows log types, like PowerShell: windows_logsource_panther

CrowdStrike example conversion command

sigma convert -s -t panther -p crowdstrike_panther path/to/rules -O output_dir=output/directory

`sigma convert` flags

Long name

Short flag

Options

Description

--target

-t

panther

The Sigma backend to use

--pipeline

-p

panther (default): for cloud log sources crowdstrike_panther carbon_black_panther sentinelone_panther

The log source pipeline to use

--format

-f

python (default) sdyaml

The output format of the converted rules

--skip-unsupported

-s

None

Using this flag is recommended when converting rules in bulk

--backend-option

-O

output_dir=...

The directory in which to save the converted rules

--help

None

View the help docs

Previouspantherlog Tool NextHelp

Last updated 2 months ago

Was this helpful?