Special Thanks to @Noaa Kless for all the hard work she put into the project. You'll find some of her comments throughout this blog
Hi guys
If you clicked on this link, you probably don't need to be convinced on the value of SIGMA rules. Everybody talks about it, a lot of rules repositories exist (the main one can be found here)... There is no doubt they are a good tool.
But if you are not sure what they are, here is my take on it...
SIGMA rules are detection rules, built in an agnostic format, that helps researchers and admins understand what they are looking for, no matter which tool they are working on. It could very well be written in English, but instead it uses a coding format and goes straight to the point, can be written in minutes, and most important, it can be parsed to work in any environment.
SIGMA rules are community driven, so you get the wisdom and rapidity of the crowd working with you.
You probably have noticed it, every time a new significant threat or vulnerability gets announced, a few hours later we have responses coming from the community, and they are often the same: a Snort signature, a YARA rule... And a SIGMA rule !
While I said that SIGMA rules are agnostic, the title of this blog post mentions "content optimized for QRadar", and that's probably what brought you here, so let's talk about it !
Welcome to the new pySigma script !
A few tools exist today to convert SIGMA rules to AQL, and they do serve that purpose, but the queries generated are not always adapted to run correctly on QRadar, I will explain that in a minute...
In case you haven't gotten the news, the original sigmac script that initially been written as part of the SIGMA project is going end of life at the end of 2023, it is being replaced by pySigma which works on a new architecture (documentation can be found here).
The pySigma script usage is straight forward, you feed it with a YAML file (or directory of YAML files) and it outputs the corresponding AQL, which allows to create detection rules or searches for threat hunting.
Two main problems can be highlighted in the original behaviour: A lot of the time the payload is used to query the data, which is not great for performances, and in some cases the properties used are not the right ones, which can result in false-negatives.
So we've created a new script ! It can be found here on Github.
What does the script do differently ?
A bunch of things that can make this blog hard to consume... So here are a few quick links that will help you navigate ;)
Mapping of the Custom Properties
Mapping of the Log Sources
Use of LIKE instead of ILIKE
Subnet search
Increase the number of true positives
Mapping of the Custom Properties
Over the years we have released many properties on the App Exchange, we've made sure that all the properties were normalized as much as possible across all the devices, just like you always find the same properties in the DSMs. We even released the IBM QRadar Custom Properties Dictionary, so anybody could build their own property expressions and tie them to the normalized property definitions.
This normalization work allowed us to map the properties used in the SIGMA rules to the properties used in QRadar, this is what it looks like:
Mapping of the Log Sources
We didn't stop at the CEPs, to make the searches even faster, we've mapped the products name and services to the QRadar Log Source types.
Here are a few examples: