Converting Sigma Rules
Convert Sigma rules to Simple Detections
Overview
The Sigma rule converter is in open beta, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Use the sigma-cli
tool to convert Sigma rules into Simple Detections.
In security and threat intelligence communities, Sigma rules are a common way to share detection logic in a vendor-agnostic format. This converter makes thousands of Sigma rules available for use in Panther. It also can make it easier to migrate to Panther from another SIEM.
Currently, only rules for certain Panther log sources are supported for conversion.
Installing the tool
To install the tool:
Follow the installation instructions for
sigma-cli
.Run the following command to install the Panther backend and pipelines:
Upgrading the tool
To upgrade the tool, rerun the installation command:
Using the tool
To use the conversion tool:
Navigate to your local directory of Sigma rules.
Run the conversion command:
The value of the processing pipeline flag (
-p
) differs depending on whether the source is a cloud or endpoint detection and response (EDR) source.See the Usage section of the
sigma-cli
README
for additional usage instructions.
Upload the converted rules to Panther using the Panther Analysis Tool or the Bulk Uploader.
Supported conversions
Cloud log sources
All cloud sources use the same conversion command:
Source name | Supported Panther schema(s) |
---|---|
AWS CloudTrail | |
GitHub | |
Okta |
EDR log sources
This tool can convert detections for endpoint events from certain EDR sources. These detections are applicable to logs generated in Windows, Mac, and Linux systems.
Currently, the following Sigma log source categories are supported:
process_creation
file_event
network_connection
Note that for EDR sources, the value of the processing pipeline flag (-p
) is unique to each source.
Source name | Supported Panther schema(s) | Example conversion command |
---|---|---|
CrowdStrike | ||
Carbon Black |
Last updated