Introduction to Sigma
Sigma, created by Florian Roth and Thomas Patzke, is an open source project and initiative for creating a structured language for SIEM detection content. The concept is analogous to YARA for file-based detections, SNORT for IDS, and STIX for threat intelligence. However, Sigma takes this one step further by abstracting detection concepts common to each SIEM platform and enabling conversion between them. The language’s semantic (descriptive) format, shareability, and flexibility across platforms make it a valuable resource for operations.
1. Sigma enables consumers to quickly determine applicability, stability, credibility, criticality, and reliability of a rule through semantic format.
- This reduces the need to rely on SIEM subject matter experts for interpretation and explanation of detection content and enables analysts save time during an investigation or threat hunting exercise.
- https://github.com/Neo23x0/sigma/wiki/Specification – View additional information about Sigma structure here.
2. Sigma rules can exist in a text-based format, simplifying management and sharing of rules.
Teams can store, access, and manage rules from an architecture as simple as a shared directory, SIEM engineers can download new rules online from the community, and threat hunters can develop new detections without ever touching a SIEM.
- This further reduces the time required to respond to new threats by opening up avenues for creators and consumers to leverage detections.
- https://tdm.socprime.com – View SOC Prime’s Marketplace for free and premium rules and rule packs here.
- https://github.com/socprime/SigmaUI – See SOC Prime’s free development plugin for Kibana.
3. Sigma rules can be translated into a growing number of SIEM languages.
Teams that are using more than one SIEM platform or are attempting to transition away from an older platform can easily convert existing content; reducing the implementation period for a project.
https://github.com/Neo23x0/sigma – Visit the Github page for Sigma
Uncoder.io is SOC Prime’s free tool for SIEM search language conversion. Uncoder relies upon Sigma to act as a proverbial “rosetta stone”; enabling event schema resolution across platforms.
Sigma → ArcSight (CEF)
Splunk (SPL) → Sigma
ArcSight (CEF) → Sigma → Splunk (SPL)
Splunk (SPL) → Sigma → Elasticsearch (DSL)
QRadar (AQL) → Sigma → Kibana (Lucene)
As security engineers, SOC Prime is also committed to respecting users’ privacy; no translation data is stored by the tool unless the user opts to share a translation with the R&D team for the purposes of improving translation capability.
1. Select an Input Language or use the “Detect” mode on the top left.
2. Paste a query into the left text box or select a pre-set Sigma query from the drop-down.
3. Select an Output Language on the top right.
4. Select sharing option and click “Translate”.
5. Copy translated query from the right panel.
1. Convert & Store Rules in Sigma for Documentation & Management
Enrich operations and save time by storing rules converted to Sigma in a shared directory.
- Easily access reference materials such as blogs, whitepapers, and other research during an investigation.
- Provide feedback within rules for development teams about common false positives.
- Organize rules to match various tactics, techniques, tools, and products.
- Preserve and share detections utilized during threat hunting exercises.
2. Transition Rules from SIEM A to SIEM B
Shorten the implementation period for a new SIEM platform by converting detection content from an old platform instead of manually recreating it.
3. Leverage Sigma Rules From The Community
Save valuable development time by taking advantage of detection rules being published by the security community.
Download both free and premium rules from SOC Prime’s Threat Detection Marketplace and convert them to any supported platform.
4. Develop Rules Without A SIEM
Stay on top of emerging threats by developing rules for any SIEM right from Uncoder.