Special thanks to Wesley Truett and Brian Mitchell for continuously working on updating the YARA and SIGMA rule manager, to bring more value and flexibility to support cross products compatibility.
Hi guys
We're here today to talk about an update that will be a game changer in the SIGMA custom content creation and its compatibility with QRadar.
If you don't know what I am talking about, I published a blog to explain about how QRadar supports SIGMA, you can find it here.
We've added a new capability in the app, where you can create your own mapping of Custom Properties and Log Source Types.
Map SIGMA fields to your own custom properties
In the pysigma script (and the first version of the app), we have included a mapping of the properties of the SIGMA community rules to the custom property definitions that have been created by IBM (see the pysigma blog entry for more details).
This means that if you decide to use the IBM Windows or Linux Custom properties as an example, everything is pretty much done out of the box. You can add custom property expressions on top of what we have released, but as long as you are using the IBM custom property definitions, it will just work.
In this version, we have taken a step forward and included full custom property support, as the app allows to map any SIGMA fields to any QRadar property that exists on the system.
A new menu called SIGMA Global configuration appeared on the left side of the screen. The sub-menu Field name overrides is the place where you can apply your own mapping for it to be accounted for in the translation from SIGMA to AQL.
By default, the configuration page lists in the left column all the SIGMA fields that we know are used as part of the SIGMA-HQ community rules.
The right column displays all the custom properties available on the system.
One SIGMA field can be mapped to multiple QRadar custom properties.
The configuration page also allows to add your own SIGMA fields, in the below example I mapped "gkos-myproperty" to the QRadar CEP "Event Type".
This can be useful if the community provides more fields that we are not aware of, or if you have your own repository and manage rules that have to be compatible with multiple tools.
Map SIGMA rules devices to your own Log Sources
Same story for the Log Sources, the first version of the script and the app was mapping the pySigma script products and services list to the equivalent Log Source Types on QRadar.
That leaves a fair amount of devices out of the list, because QRadar has more than 400 DSMs, so there is a chance that if you have you own repository of rules, you want to map additional devices, whether they are IBM DSMs or Custom DSMs.
In the Product and service overrides menu, you can select the existing list of SIGMA supported devices
On the right side of the screen you can select any log source type present on the system
And once again, you can add your own device type mapping, on both sides if you want !
In the example below, I am mapping the SIGMA product "gkos-myownproduct" to the custom DSM "GKOS-MyProductOnQRadar".
I hope these new capabilities will make your creation and maintenance of detections easier, stay tuned for more updates on the app soon !