zhongwei/gh-agentsecops-secopsagentkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff1f4bd119e294e82b366862d68e24bd48aac597
gh-agentsecops-secopsagentkit/skills/incident-response/detection-sigma/references/backend-support.md
Zhongwei Li ff1f4bd119 Initial commit
2025-11-29 17:51:02 +08:00

391 lines
8.3 KiB
Markdown
Raw Blame History

# Sigma Backend Support Reference
## Supported SIEM/Security Platforms
### Splunk
**Backend**: `splunk`
**Query Language**: SPL (Search Processing Language)
**Installation**:
```bash
pip install pysigma-backend-splunk
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend splunk
```
**Output Format**:
```spl
index=windows EventID=4688 Image="*\\powershell.exe" CommandLine IN ("*-enc*", "*-EncodedCommand*", "*FromBase64String*")
```
**Deployment**:
- Save as saved search via Splunk Web UI
- Deploy via REST API: `/servicesNS/-/-/saved/searches`
- Use Splunk Enterprise Security correlation rules
**Field Mappings**:
- Sigma `Image` → Splunk `Image` (Sysmon)
- Sigma `CommandLine` → Splunk `CommandLine`
- Sigma `User` → Splunk `User`
### Elasticsearch
**Backend**: `elasticsearch` or `elastic`
**Query Language**: Elasticsearch Query DSL / Lucene
**Installation**:
```bash
pip install pysigma-backend-elasticsearch
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend elasticsearch
```
**Output Format**:
```json
{
"query": {
"bool": {
"must": [
{"wildcard": {"Image": "*\\powershell.exe"}},
{"terms": {"CommandLine": ["-enc", "-EncodedCommand"]}}
]
}
}
}
```
**Deployment**:
- Elastic Security Detection Rules
- Kibana Saved Searches
- ElastAlert rules
**Field Mappings** (ECS - Elastic Common Schema):
- Sigma `Image` → ECS `process.executable`
- Sigma `CommandLine` → ECS `process.command_line`
- Sigma `User` → ECS `user.name`
### Microsoft Sentinel (Azure Sentinel)
**Backend**: `sentinel` or `kusto`
**Query Language**: KQL (Kusto Query Language)
**Installation**:
```bash
pip install pysigma-backend-microsoft365defender
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend sentinel
```
**Output Format**:
```kql
SecurityEvent
| where EventID == 4688
| where ProcessName endswith "\\powershell.exe"
| where CommandLine contains "-enc" or CommandLine contains "-EncodedCommand"
```
**Deployment**:
- Azure Sentinel Analytics Rules
- Deploy via ARM templates
- Use Azure Sentinel API
**Field Mappings**:
- Sigma `Image` → Sentinel `ProcessName`
- Sigma `CommandLine` → Sentinel `CommandLine`
- Sigma `User` → Sentinel `AccountName`
### IBM QRadar
**Backend**: `qradar` or `aql`
**Query Language**: AQL (Ariel Query Language)
**Installation**:
```bash
pip install pysigma-backend-qradar
```
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend qradar
```
**Output Format**:
```sql
SELECT * FROM events WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
AND "EventID" = '4688'
AND "Image" ILIKE '%\\powershell.exe'
```
**Deployment**:
- QRadar Custom Rules
- Deploy via QRadar API
- AQL searches
### Elastic Security (EQL)
**Backend**: `eql`
**Query Language**: EQL (Event Query Language)
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend eql
```
**Output Format**:
```eql
process where process.name == "powershell.exe" and
(process.command_line like~ "*-enc*" or
process.command_line like~ "*-EncodedCommand*")
```
**Deployment**:
- Elastic Security Detection Rules
- EQL searches in Kibana
### Chronicle (Google)
**Backend**: `chronicle`
**Query Language**: YARA-L
**Conversion Example**:
```bash
python scripts/sigma_convert.py rule.yml --backend chronicle
```
### Others
Additional backends available via pySigma plugins:
- **LimaCharlie**: EDR platform
- **OpenSearch**: Fork of Elasticsearch
- **LogPoint**: SIEM platform
- **ArcSight**: SIEM platform
- **Carbon Black**: EDR platform
- **CrowdStrike**: EDR platform (Falcon)
- **SentinelOne**: EDR platform
- **Datadog**: Cloud monitoring platform
- **Sumo Logic**: Cloud SIEM
## Backend Installation
### Core pySigma
```bash
pip install pysigma
```
### Backend Plugins
```bash
# Splunk
pip install pysigma-backend-splunk
# Elasticsearch
pip install pysigma-backend-elasticsearch
# Microsoft 365 Defender / Sentinel
pip install pysigma-backend-microsoft365defender
# QRadar
pip install pysigma-backend-qradar
# Multiple backends
pip install pysigma-backend-splunk pysigma-backend-elasticsearch
```
## Backend Limitations
### Field Mapping Gaps
Some backends may not support all Sigma field modifiers:
**Issue**: Backend doesn't support regex field modifier `|re`
**Solution**:
- Use alternative field modifiers (`contains`, `endswith`)
- Implement custom pipeline transformations
- Post-process in SIEM after conversion
### Unsupported Features
| Feature | Splunk | Elasticsearch | Sentinel | QRadar |
|---------|--------|---------------|----------|--------|
| Regex | ✓ | ✓ | ✓ | ✓ |
| Base64 decode | Limited | Limited | ✓ | Limited |
| CIDR matching | ✓ | ✓ | ✓ | ✓ |
| Wildcards | ✓ | ✓ | ✓ | ✓ |
### Data Source Availability
Not all log sources may be available in all backends:
**Check availability**:
1. Verify log source is ingested in your SIEM
2. Confirm field mappings match
3. Test converted query with sample data
## Custom Pipelines
pySigma supports custom processing pipelines for field transformations:
```python
from sigma.pipelines.sysmon import sysmon_pipeline
from sigma.backends.splunk import SplunkBackend
# Apply Sysmon field mappings before conversion
backend = SplunkBackend()
pipeline = sysmon_pipeline()
converted = backend.convert_rule(rule, pipeline)
```
## Deployment Automation
### Splunk Deployment
```python
import requests
# Splunk REST API
url = "https://splunk:8089/servicesNS/nobody/search/saved/searches"
auth = ("admin", "password")
data = {
"name": "Sigma - Suspicious PowerShell",
"search": converted_query,
"description": rule.description,
"cron_schedule": "*/5 * * * *", # Every 5 minutes
"actions": "email",
"action.email.to": "soc@company.com"
}
response = requests.post(url, auth=auth, data=data, verify=False)
```
### Elasticsearch Deployment
```python
from elasticsearch import Elasticsearch
es = Elasticsearch(["https://elasticsearch:9200"])
# Deploy as Elasticsearch detection rule
rule_doc = {
"name": rule.title,
"description": rule.description,
"query": converted_query,
"severity": rule.level,
"tags": rule.tags
}
es.index(index="detection-rules", document=rule_doc)
```
### Microsoft Sentinel Deployment
```bash
# ARM template deployment
az sentinel alert-rule create \
--resource-group myResourceGroup \
--workspace-name mySentinelWorkspace \
--rule-name "Sigma - Suspicious PowerShell" \
--query "$converted_query" \
--severity Medium \
--enabled true
```
## Testing Converted Queries
### Splunk
```spl
# Test in Splunk search
index=windows earliest=-24h
| eval match=case(
Image="*\\powershell.exe" AND (CommandLine LIKE "%enc%" OR CommandLine LIKE "%EncodedCommand%"), "MATCH",
1=1, "NO MATCH"
)
| stats count by match
```
### Elasticsearch
```json
POST /winlogbeat-*/_search
{
"query": {
"bool": {
"must": [
{"wildcard": {"process.executable": "*\\powershell.exe"}},
{"terms": {"process.command_line": ["-enc", "-EncodedCommand"]}}
]
}
}
}
```
### Sentinel
```kql
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4688
| where ProcessName endswith "\\powershell.exe"
| summarize count() by bin(TimeGenerated, 1h)
```
## Troubleshooting
### Conversion Fails
**Error**: `Unsupported field modifier for backend`
**Solution**:
```bash
# Use debug mode to see detailed error
python scripts/sigma_convert.py rule.yml --backend splunk --debug
```
Check `references/field-modifiers.md` for backend compatibility.
### Query Doesn't Return Expected Results
**Steps**:
1. Verify log source is ingested
2. Check field name mappings
3. Test with known-positive sample
4. Validate field value case sensitivity
5. Check time range in query
### Performance Issues
Large, complex queries may impact SIEM performance:
**Optimization**:
- Add index/sourcetype filters early
- Use specific time ranges
- Optimize field modifiers (prefer exact match over regex)
- Test query performance before deployment
## Resources
- [pySigma Documentation](https://github.com/SigmaHQ/pySigma)
- [pySigma Backend Plugins](https://github.com/SigmaHQ/pySigma/blob/main/Backends.md)
- [Sigma Converter Web Tool](https://sigconverter.io/)
- [Sigma GitHub Repository](https://github.com/SigmaHQ/sigma)
Reference in New Issue View Git Blame Copy Permalink