IBM QRadar

 View Only

QRadar natively supports SIGMA for rules creation

By Gladys Koskas posted Fri September 15, 2023 07:34 PM

  

Special thanks to @Nigel Sood for his continuous efforts to make this new version of the app available in such a quick timespan!

Hi guys

You've read that right, I am here to announce that QRadar now natively supports the ingestion of SIGMA rules to create real-time detection rules ! 

I have talked a few months back in a different blog post how we have rewritten the pysigma script to optimize the conversion of the SIGMA rules to AQL statement by including Custom Properties, Log sources and updating regex searches. Well, we figured that not only this deserved to be included in an app, but also should allow to create real time rules in just a few clicks.

So we did it... And this magic all happens in the former IBM Security QRadar Manager for YARA Rules app, which is now called IBM Security QRadar Manager for YARA and SIGMA Rules and can be found here on the App Exchange!

This is what the new version of the app looks like:

We already have 4 blogs talking about the YARA part, so I won't do too much repeat. In a few words, that part of the app allows you to import YARA rules from a file or from a GitHub and then to run a scan with these rules on events, flows and even files.

If you are interested in knowing what you can do with YARA in QRadar, you will find everything in my blog posts reference page.

The big change in the app is that now you can ingest SIGMA rules from a file or from GitHub, and either trigger a one time scan, or create real time detection rules. Let's see how it works !

Load the content

The SIGMA Rule Translator allows to manually upload your rules from a file or simply perform a copy/paste of the rules you want to import.

The GitHub integration enables to import an entire folder from GitHub

Trigger searches

From either screen that I showed above, you can trigger a search by clicking on "Import as AQL Searches".
The app will read the SIGMA rule(s) and automatically convert it to an AQL search. From this screen, you can Edit the search (to modify the timeframe or any other condition of your choice), and simply click on Scan to get the results of the search inside the app. 

Create rules

This is definitely the most exciting feature of the app!
As soon as you click on "Import as QRadar Rules", you are prompted with 2 options:
The first one will take you to another screen where you can edit the rules just like you are able to do it for the searches. 
The second option will directly translate the rules as-is and create them. Let's see how rule edition works !
If you choose to review the rules, a new screen will show the content, the Rule Name is pre-filled with the SIGMA rule name, and you can edit the filters as necessary to match your organization needs.
Each rule that is ready can be submitted by clicking on Save As Rule, and the next one of the list will be loaded for review. 
If you want to review the rules in a specific order, you can select the rule that you want to edit from the top of the screen. 

QRadar rules

That's it ! in just a few clicks you have created QRadar rules from SIGMA rules.
This is what the QRadar rule looks like:
The filter is fed with the AQL conversion, and the rule notes contain the information about where the SIGMA rule came from and potential false positive information that have been indicated in the SIGMA rule.
The rule response is also configured by default to dispatch a new event and create an offense, with a response limiter.   
Here is what the end-to-end process looks like

Logs generated by the app

As I mentioned in the previous blogs, in special cases, when the rule is searching for a Boolean value, Null value, regular expression, or CIDR, a payload search cannot be done because it is too general and might create false positives or return random logs.
For rules like that, an exception is displayed, and the rule cannot be translated. 
In the example below, I tried to import a rule where a "null" test was performed
The reason it is failing is not obvious on that screen, and there is certainly room for improvement here. But you can still identify the reason of the failure, just by going to the Log Activity.
When you have installed the app, you have been asked to perform a deploy to finish the creation of a new Log Source, that's the one we want to look at now.
 In the Log Activity, search for Log Source Type Equals YARA and SIGMA Rule Manager DSM
The logs will look like below:
Here is the details of what a QRadar Rule Creation Success log would look like:
In my example of import failure, I see a log saying "SIGMA to AQL Translation Failed"
Here is the content:
The log mentions that the null value that is unsupported for a payload test (due to an unmapped property. Mapping is constantly evolving).
The app generates a good amount of status and explanatory logs, which should help you understand why something potentially went wrong with your YARA or SIGMA content, but also can help you with audit requirements !

Conclusion

The functionalities of this app allow you to synchronize with a public repository and review the rules you want to import to tweak them and adapt to your needs, and also allow you to have your own repositories to share the rules across different platforms.
I hope you'll be as enthusiastic as I am about this app and that it will help you creating new effective detections ! 
2 comments
126 views

Permalink

Comments

Gladys Koskas
Thu October 05, 2023 03:16 PM

Hi Ziad

I'm sorry, this is impossible because the app is using functions that are only available from 7.5

Ziad Raja
Wed September 20, 2023 05:33 AM

Hi team,

Great news! 

I would like to inquire if there are plans to provide support for 7.5 versions earlier than 7.5 UP5.

Thank you.