Sigma, created by Florian Roth and Thomas Patzke, is an open source project and initiative for creating a structured language for SIEM detection content. The concept is analogous to YARA for file-based detections, SNORT for IDS, and STIX for threat intelligence. However, Sigma takes this one step further by abstracting detection concepts common to each SIEM platform and enabling conversion between them. The language’s semantic (descriptive) format, shareability, and flexibility across platforms make it a valuable resource for operations.
1. Sigma enables consumers to quickly determine applicability, stability, credibility, criticality, and reliability of a rule through semantic format.
2. Sigma rules can exist in a text-based format, simplifying management and sharing of rules.
Teams can store, access, and manage rules from an architecture as simple as a shared directory, SIEM engineers can download new rules online from the community, and threat hunters can develop new detections without ever touching a SIEM.
3. Sigma rules can be translated into a growing number of SIEM languages.
Teams that are using more than one SIEM platform or are attempting to transition away from an older platform can easily convert existing content; reducing the implementation period for a project.
https://github.com/Neo23x0/sigma – Visit the Github page for Sigma
Uncoder.io is SOC Prime’s free tool for SIEM search language conversion. Uncoder relies upon Sigma to act as a proverbial “rosetta stone”; enabling event schema resolution across platforms.
Sigma → ArcSight (CEF)
Splunk (SPL) → Sigma
ArcSight (CEF) → Sigma → Splunk (SPL)
Splunk (SPL) → Sigma → Elasticsearch (DSL)
QRadar (AQL) → Sigma → Kibana (Lucene)
As security engineers, SOC Prime is also committed to respecting users’ privacy; no translation data is stored by the tool unless the user opts to share a translation with the R&D team for the purposes of improving translation capability.
1. Select an Input Language or use the “Detect” mode on the top left.
2. Paste a query into the left text box or select a pre-set Sigma query from the drop-down.
3. Select an Output Language on the top right.
4. Select sharing option and click “Translate”.
5. Copy translated query from the right panel.
1. Convert & Store Rules in Sigma for Documentation & Management
Enrich operations and save time by storing rules converted to Sigma in a shared directory.
2. Transition Rules from SIEM A to SIEM B
Shorten the implementation period for a new SIEM platform by converting detection content from an old platform instead of manually recreating it.
3. Leverage Sigma Rules From The Community
Save valuable development time by taking advantage of detection rules being published by the security community.
Download both free and premium rules from SOC Prime’s Threat Detection Marketplace and convert them to any supported platform.
4. Develop Rules Without A SIEM
Stay on top of emerging threats by developing rules for any SIEM right from Uncoder.