Overview

Use the tool to convert into or .

In security and threat intelligence communities, Sigma rules are a common way to share detection logic in a vendor-agnostic format. This converter makes thousands of Sigma rules available for use in Panther. It also can make it easier to migrate to Panther from another SIEM.

Currently, only rules for are supported for conversion.

Installing the tool

To install the tool:

1. Install sigma-cli:

   • On MacOS, you can do so using Homebrew: brew install sigma-cli

   • On other platforms, follow .

2. Run the following command to install the Panther backend and pipelines:

   Copy

   sigma plugin install panther

Upgrading the tool

1. Upgrade sigma-cli:

   • On MacOS, run brew upgrade.

   • On other platforms, rerun .

2. Upgrade the plugin by rerunning the installation command:

   Copy

   sigma plugin install panther

Using the tool

To use the conversion tool:

1. Navigate to your local directory of Sigma rules.

2. Run the conversion command:

   Copy

   sigma convert -s -t panther -f <format> -p <processing pipeline> path/to/rules -O output_dir=output/directory

   • • Cloud log sources: Use panther (default)
   • The value of the format flag (-f) can be one of the following:

Supported conversions

Cloud log sources

All cloud sources use the same conversion command:

sigma convert -s -t panther path/to/rules -O output_dir=output/directory

EDR log sources

This tool can convert detections for endpoint events from certain EDR sources. These detections are applicable to logs generated in Windows, Mac, and Linux systems.

Currently, the following Sigma log source categories are supported:

• process_creation

• file_event

• network_connection

Note that for EDR sources, the value of the processing pipeline flag (-p) is unique to each source.

CrowdStrike example conversion command

sigma convert -s -t panther -p crowdstrike_panther path/to/rules -O output_dir=output/directory

sigma convert flags