IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Convert Sigma Rules to QRadar Queries

By MUTAZ ALSALLAL posted Sun October 18, 2020 08:31 AM

  
Sigma Rules are a community driven rules to hunt and detect different security threats, Security correlation engineers can easily transform Sigma rules to QRadar queries

let's start it with an example:

This is a Sigma rule to detect when an unsigned image (eg: DLL) will be loaded into the LSASS process which is a known behaviour for many credential dumping utilities

Sigma rule to detect unsigned image load into LSASS process



The Sigma Projects already includes a converter to QRadar and to STIXX queries which is used by Cloud Pack for Security to run unified searches across your security products.


The following easy command can be used to transform the above Sigma rule to QRadar query:

sigmac -t qradar rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml

sigma convertor to qradar query


To convert it to STIXX:

sigmac -t stix -c stix-qradar rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml

sigma convertor to STIXX


the sigma converter utility can be downloaded as following:
pip3 install sigmatools



References
Sigma Rules
Sigma QRadar Backend
Sigma STIXX Backend
1 comment
51 views

Permalink

https://community.ibm.com/community/user/blogs/mutaz-alsallal1/2020/10/18/convert-sigma-rules-to-qradar-queries

Comments

Albert Chen
Wed January 26, 2022 01:32 PM

Hi Mutaz,

This is great for a simple conversion and threat hunting using a few specific rules. I'd like to see an implementation for bulk adding all Sigma rules. Is there any way to convert the AQL into Saved Searches or Offense Rules via API? I don't see an App in the App Exchange, but ideally we should be keeping the queries up to date with the Sigma GitHub repo as well. A similar integration exists already for Splunk: https://github.com/P4T12ICK/Sigma-Hunting-App