This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Sigma for your SIEM

EricPartington
Employee
Employee
‎2019-04-08 10:40 AM

Over the last year a few trends have emerged in detection ruleset sharing circles.  Standards or common formats of sharing detective rulesets have emerged as the defacto way teams are communicating rulesets to then convert into local technologies.

 

  • Yara for file based detections
  • Snort/Bro/Zeek rules for network based detections
  • Sigma for SIEM based detections

 

Along with MITRE ATT&CK these appear to be a consistent common foundation for sharing methodologies.

 

Given that, taking a shot at using Sigma to create RSA NetWitness rules based on the rulesets in the github repo was the next logical step.  The hard work of creating the backed and the initial mappings for fields was done by @tuckner and my work was just adding on a few additional fieldmappings and creating a wrapper script to help make the process of running the rules easier.

 

There are still some issues in the conversion script that I have noticed and not all capabilities in Sigma have been ported over (or can be ported over programatically) but this is enough of a start to get you on your way to developing additional rulesets with this capabilities.

 

*** <disclaimer>

Please note this is not an official RSA product, this is an attempt to start the conversion process of these rules to something NetWitness can begin to understand. There will be mistakes and errors in this community developed tool, feel free to contribute fixes and enhancements to the Sigma project to make it better and more accurate

</disclaimer> ***

 

You will need to install python3 to make the Sigmac tool run, NetWitness appliances don't have the right version of python so you will need somewhere to install it, these are my instructions that i fumbled through to make it work...

 

https://github.com/epartington/rsa_nw_sigma_wrapper/blob/master/install%20python3.txt

 

Once you have the tool running you should take a look at the rules that exist in the Sigma repo to see which ones you want to take a crack at converting.

 

Those rules exist here:

https://github.com/Neo23x0/sigma/tree/master/rules

 

The tool you will use to convert the rules is sigmac and lives under tools/sigmac

The backend you will refer to is netwitness and lives under tools/sigma/backends

The last item you need to know about is the template that will be used to convert the rule using the backend which is located here tools/config/netwitness.yml

 

running the command on a single file looks something like this:

python36 sigmac -t netwitness ../rules/network/net_mal_dns_cobaltstrike.yml
(query contains 'aaa\.stage\.', 'post\.1')‍‍

 

You can use this to run individual conversions but what if you want to bulk convert all the rules in a folder?

This wrapper script will help you do that, place it in the root folder and adjust the directory paths as needed, this will output the name of the file as well as the conversion so that you know what file you are converting

 

https://github.com/epartington/rsa_nw_sigma_wrapper/blob/master/sigma-wrapper.sh

 

Which gets you something like this:

 

/root/sigma/sigma-master/rules/windows/builtin/win_susp_sdelete.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '4656', '4663', '4658') && (obj.name contains '.AAA', '.ZZZ'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_sdelete.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '4656', '4663', '4658') && (obj.name contains '.AAA', '.ZZZ'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '517', '1102'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '517', '1102'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '517', '1102'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
((device.class='windows hosts') && (event.source='microsoft-windows-security-auditing') && (reference.id = '517', '1102'))
/root/sigma/sigma-master/rules/windows/builtin/win_susp_svchost.yml‍‍‍‍‍‍‍‍‍‍‍‍‍

 

Some items to be aware of:

  • IP addresses appear to be quoted which should not occur for our latest requirements
  • Keep an eye on regex usage
  • Haven't checked to far into the escaping of slashes for importing via the UI vs. the .nwr method.  Be careful which method you use that the right number of slashes are respected.

 

So far this looks like a useful method to add a bunch of current SIEM detections to the RSA NetWitness Platform, feel free to test and contribute to the converter, fieldmappings or other functions if you find this useful.

1 Comment
© 2022 RSA Security LLC or its affiliates. All rights reserved.