IBM Security QRadar

Convert Sigma Rules to QRadar Queries

By MUTAZ ALSALLAL posted Sun October 18, 2020 08:31 AM

Sigma Rules are a community driven rules to hunt and detect different security threats, Security correlation engineers can easily transform Sigma rules to QRadar queries

let's start it with an example:

This is a Sigma rule to detect when an unsigned image (eg: DLL) will be loaded into the LSASS process which is a known behaviour for many credential dumping utilities

Sigma rule to detect unsigned image load into LSASS process

The Sigma Projects already includes a converter to QRadar and to STIXX queries which is used by Cloud Pack for Security to run unified searches across your security products.

The following easy command can be used to transform the above Sigma rule to QRadar query:

sigmac -t qradar rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml

sigma convertor to qradar query

To convert it to STIXX:

sigmac -t stix -c stix-qradar rules/windows/image_load/sysmon_unsigned_image_loaded_into_lsass.yml

sigma convertor to STIXX

the sigma converter utility can be downloaded as following:
pip3 install sigmatools

Sigma Rules
Sigma QRadar Backend
Sigma STIXX Backend