Skip to content

Converting Sigma Rules

What is Sigma

Sigma rules are platform-agnostic and utilizing these rules is a simple, yet powerful way for security teams to detect and respond to threats using SIEM systems. They are written in a YAML-based format and allow teams to identify suspicious patterns and behaviors across multiple systems and data sources, providing a unified view of security events.

Sigma rules offer several advantages over traditional detection rules, including platform-agnosticism, easy customization, and easy modification. They can be used with various SIEM systems, allowing teams to standardize their detection capabilities across their security stack and improve their overall security posture.

Sigma v2 to Padas converter script is an open-source tool that allows users to convert Sigma rules into Padas PDL. Utilizing PDL with real-time streaming event data offers significant benefits for security teams looking to enhance their detection and response capabilities.

Sigma to Padas

Please see Quick Start before going through the steps below. In this section, only converting Sigma rules to Padas will be explained. After conversion, rest of steps will be the same as Padas Quick Start.

This conversion tool is designed to be used with Sigma Specification version 2.

Prerequisites

  • Python (version 3 or above)

Overview of Quickstart

Step 1: Download

  1. Download the latest version of the script in padas-tools repository.

  2. If it is downloaded as compressed, it is needed to uncompress properly such as unzip command or using verious zip tools. Else, skip this step.

  3. You should see sigma_v2_to_padas directory.

At this stage, make sure you have downloaded proper Python version.

Step 2: Start Padas

  • You need to complete Quick Start; step 6 is optional.

Step 3: Converting Sigma to Padas Rules

Following files should be available with your download under sigma_v2_to_padas directory:

  • sigma_v2_to_padas.py
  • test/expected_output.json
  • test/input_sigma_rule.yml
  • test/test_to_rules.py


1. Convert: sigma_v2_to_padas.py is the converter script. This gives proper Sigma v2 (yml) to Padas (json) conversion.
**Usage : ** python3 path/sigma_v2_to_padas.py input_path/input.yml output_path/ouput.json


2. Test: You can try test/test_to_rules.py script for testing. This script checks if test/input_sigma_rule.yml file is converted as test/expected_output.json. You can add your own Sigma v2 rules in test/input_sigma_rule.yml and their properly converted outputs in test/expected_output.json.
**Usage : ** python3 path/test/test_to_rules.py

Step 4: Create Rules

  1. Create Rule : You can add your converted rules either manually by copying the generated PDL or uploading the JSON file from Rules menu.


    Adding manually :
    Click New Rule button and fill in the details from generated JSON file.

    Uploading JSON :

    1. Click top of the Upload button.
    2. Click Choose File button. If you add same rule previously, you need to check Overwrite existing configuration. box.
    3. Click bottom of the Upload button.

Step 5: Test & Play

** Test : ** You can generate some matching data and test your rules as described in Quick Start Step 6.