Special thanks to @Nigel Sood for his continuous efforts to make this new version of the app available in such a quick timespan!
You've read that right, I am here to announce that QRadar now natively supports the ingestion of SIGMA rules to create real-time detection rules !
I have talked a few months back in a different blog post how we have rewritten the pysigma script to optimize the conversion of the SIGMA rules to AQL statement by including Custom Properties, Log sources and updating regex searches. Well, we figured that not only this deserved to be included in an app, but also should allow to create real time rules in just a few clicks.
So we did it... And this magic all happens in the former IBM Security QRadar Manager for YARA Rules app, which is now called IBM Security QRadar Manager for YARA and SIGMA Rules and can be found here on the App Exchange!
This is what the new version of the app looks like:
We already have 4 blogs talking about the YARA part, so I won't do too much repeat. In a few words, that part of the app allows you to import YARA rules from a file or from a GitHub and then to run a scan with these rules on events, flows and even files.
If you are interested in knowing what you can do with YARA in QRadar, you will find everything in my blog posts reference page.
The big change in the app is that now you can ingest SIGMA rules from a file or from GitHub, and either trigger a one time scan, or create real time detection rules. Let's see how it works !
Load the content
The SIGMA Rule Translator allows to manually upload your rules from a file or simply perform a copy/paste of the rules you want to import.
The GitHub integration enables to import an entire folder from GitHub