Skip to content

backend-support.md

Latest commit

 

History

History
390 lines (290 loc) · 8.29 KB

backend-support.md

File metadata and controls

390 lines (290 loc) · 8.29 KB

Sigma Backend Support Reference

Supported SIEM/Security Platforms

Splunk

Backend: splunk

Query Language: SPL (Search Processing Language)

Installation:

pip install pysigma-backend-splunk

Conversion Example:

python scripts/sigma_convert.py rule.yml --backend splunk

Output Format:

index=windows EventID=4688 Image="*\\powershell.exe" CommandLine IN ("*-enc*", "*-EncodedCommand*", "*FromBase64String*")

Deployment:

  • Save as saved search via Splunk Web UI
  • Deploy via REST API: /servicesNS/-/-/saved/searches
  • Use Splunk Enterprise Security correlation rules

Field Mappings:

  • Sigma Image → Splunk Image (Sysmon)
  • Sigma CommandLine → Splunk CommandLine
  • Sigma User → Splunk User

Elasticsearch

Backend: elasticsearch or elastic

Query Language: Elasticsearch Query DSL / Lucene

Installation:

pip install pysigma-backend-elasticsearch

Conversion Example:

python scripts/sigma_convert.py rule.yml --backend elasticsearch

Output Format:

{
  "query": {
    "bool": {
      "must": [
        {"wildcard": {"Image": "*\\powershell.exe"}},
        {"terms": {"CommandLine": ["-enc", "-EncodedCommand"]}}
      ]
    }
  }
}

Deployment:

  • Elastic Security Detection Rules
  • Kibana Saved Searches
  • ElastAlert rules

Field Mappings (ECS - Elastic Common Schema):

  • Sigma Image → ECS process.executable
  • Sigma CommandLine → ECS process.command_line
  • Sigma User → ECS user.name

Microsoft Sentinel (Azure Sentinel)

Backend: sentinel or kusto

Query Language: KQL (Kusto Query Language)

Installation:

pip install pysigma-backend-microsoft365defender

Conversion Example:

python scripts/sigma_convert.py rule.yml --backend sentinel

Output Format:

SecurityEvent
| where EventID == 4688
| where ProcessName endswith "\\powershell.exe"
| where CommandLine contains "-enc" or CommandLine contains "-EncodedCommand"

Deployment:

  • Azure Sentinel Analytics Rules
  • Deploy via ARM templates
  • Use Azure Sentinel API

Field Mappings:

  • Sigma Image → Sentinel ProcessName
  • Sigma CommandLine → Sentinel CommandLine
  • Sigma User → Sentinel AccountName

IBM QRadar

Backend: qradar or aql

Query Language: AQL (Ariel Query Language)

Installation:

pip install pysigma-backend-qradar

Conversion Example:

python scripts/sigma_convert.py rule.yml --backend qradar

Output Format:

SELECT * FROM events WHERE LOGSOURCETYPENAME(devicetype) = 'Microsoft Windows Security Event Log'
AND "EventID" = '4688'
AND "Image" ILIKE '%\\powershell.exe'

Deployment:

  • QRadar Custom Rules
  • Deploy via QRadar API
  • AQL searches

Elastic Security (EQL)

Backend: eql

Query Language: EQL (Event Query Language)

Conversion Example:

python scripts/sigma_convert.py rule.yml --backend eql

Output Format:

process where process.name == "powershell.exe" and
  (process.command_line like~ "*-enc*" or
   process.command_line like~ "*-EncodedCommand*")

Deployment:

  • Elastic Security Detection Rules
  • EQL searches in Kibana

Chronicle (Google)

Backend: chronicle

Query Language: YARA-L

Conversion Example:

python scripts/sigma_convert.py rule.yml --backend chronicle

Others

Additional backends available via pySigma plugins:

  • LimaCharlie: EDR platform
  • OpenSearch: Fork of Elasticsearch
  • LogPoint: SIEM platform
  • ArcSight: SIEM platform
  • Carbon Black: EDR platform
  • CrowdStrike: EDR platform (Falcon)
  • SentinelOne: EDR platform
  • Datadog: Cloud monitoring platform
  • Sumo Logic: Cloud SIEM

Backend Installation

Core pySigma

pip install pysigma

Backend Plugins

# Splunk
pip install pysigma-backend-splunk

# Elasticsearch
pip install pysigma-backend-elasticsearch

# Microsoft 365 Defender / Sentinel
pip install pysigma-backend-microsoft365defender

# QRadar
pip install pysigma-backend-qradar

# Multiple backends
pip install pysigma-backend-splunk pysigma-backend-elasticsearch

Backend Limitations

Field Mapping Gaps

Some backends may not support all Sigma field modifiers:

Issue: Backend doesn't support regex field modifier |re

Solution:

  • Use alternative field modifiers (contains, endswith)
  • Implement custom pipeline transformations
  • Post-process in SIEM after conversion

Unsupported Features

Feature Splunk Elasticsearch Sentinel QRadar
Regex
Base64 decode Limited Limited Limited
CIDR matching
Wildcards

Data Source Availability

Not all log sources may be available in all backends:

Check availability:

  1. Verify log source is ingested in your SIEM
  2. Confirm field mappings match
  3. Test converted query with sample data

Custom Pipelines

pySigma supports custom processing pipelines for field transformations:

from sigma.pipelines.sysmon import sysmon_pipeline
from sigma.backends.splunk import SplunkBackend

# Apply Sysmon field mappings before conversion
backend = SplunkBackend()
pipeline = sysmon_pipeline()
converted = backend.convert_rule(rule, pipeline)

Deployment Automation

Splunk Deployment

import requests

# Splunk REST API
url = "https://splunk:8089/servicesNS/nobody/search/saved/searches"
auth = ("admin", "password")

data = {
    "name": "Sigma - Suspicious PowerShell",
    "search": converted_query,
    "description": rule.description,
    "cron_schedule": "*/5 * * * *",  # Every 5 minutes
    "actions": "email",
    "action.email.to": "soc@company.com"
}

response = requests.post(url, auth=auth, data=data, verify=False)

Elasticsearch Deployment

from elasticsearch import Elasticsearch

es = Elasticsearch(["https://elasticsearch:9200"])

# Deploy as Elasticsearch detection rule
rule_doc = {
    "name": rule.title,
    "description": rule.description,
    "query": converted_query,
    "severity": rule.level,
    "tags": rule.tags
}

es.index(index="detection-rules", document=rule_doc)

Microsoft Sentinel Deployment

# ARM template deployment
az sentinel alert-rule create \
  --resource-group myResourceGroup \
  --workspace-name mySentinelWorkspace \
  --rule-name "Sigma - Suspicious PowerShell" \
  --query "$converted_query" \
  --severity Medium \
  --enabled true

Testing Converted Queries

Splunk

# Test in Splunk search
index=windows earliest=-24h
| eval match=case(
    Image="*\\powershell.exe" AND (CommandLine LIKE "%enc%" OR CommandLine LIKE "%EncodedCommand%"), "MATCH",
    1=1, "NO MATCH"
  )
| stats count by match

Elasticsearch

POST /winlogbeat-*/_search
{
  "query": {
    "bool": {
      "must": [
        {"wildcard": {"process.executable": "*\\powershell.exe"}},
        {"terms": {"process.command_line": ["-enc", "-EncodedCommand"]}}
      ]
    }
  }
}

Sentinel

SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4688
| where ProcessName endswith "\\powershell.exe"
| summarize count() by bin(TimeGenerated, 1h)

Troubleshooting

Conversion Fails

Error: Unsupported field modifier for backend

Solution:

# Use debug mode to see detailed error
python scripts/sigma_convert.py rule.yml --backend splunk --debug

Check references/field-modifiers.md for backend compatibility.

Query Doesn't Return Expected Results

Steps:

  1. Verify log source is ingested
  2. Check field name mappings
  3. Test with known-positive sample
  4. Validate field value case sensitivity
  5. Check time range in query

Performance Issues

Large, complex queries may impact SIEM performance:

Optimization:

  • Add index/sourcetype filters early
  • Use specific time ranges
  • Optimize field modifiers (prefer exact match over regex)
  • Test query performance before deployment

Resources