Skip to content

Sigma Backends

Sigma backends are the "drivers" of the Sigma conversion process, and implements the conversion capability that converts each Sigma rule file into a SIEM compatible query.

The newly developed pySigma framework provides an API for each Sigma backend to perform conversion, transformation and formatting of every Sigma rules.

Conversion Diagram - showing the conversion from Sigma Rule Files (top) through pySigma, and down to the final stage where the rule files have been converted to string SIEM queries

Developing a backend for the Sigma ecosystem

If developing a pySigma backend interests you in bringing Sigma support your SIEM language, first ensure one isn't already available on GitHub.

Still the best guide on how to create a pySigma compatible backend is Micah Babinski's Blog Post on Creating a Sigma Backend for Fun (and no Profit). We're working hard on writing an official guide for this, but until then, a big thank you to Micah for writing this guide.

Working with Backends

To investigate available pySigma backends that you can use, ensure you have the sigma-cli tool installed, then run the following commands to view all available backends in a table.

bash
sigma plugin list -t backend
text
+----------------------+---------+---------+--------------------------------------------------------------+
| Identifier           | Type    | State   | Description                                                  |
+----------------------+---------+---------+--------------------------------------------------------------+
| splunk               | backend | stable  | Splunk backend for conversion into SPL and tstats data model |
| insightidr           | backend | stable  | Rapid7 InsightIDR backend that generates LEQL queries.       |
| qradar               | backend | stable  | IBM QRadar backend for conversion into AQL and extension     |
| ...                  | ...     | ...     | ...                                                          |
+----------------------+---------+---------+--------------------------------------------------------------+

Once you've found the Sigma backend you want to use, you can install it using the sigma plugin install command.

bash
sigma plugin install splunk

If you for whatever reason need to remove a Sigma plugin, you can also uninstall it using the same method.

bash
sigma plugin uninstall splunk

Components

The sigma CLI (powered by pySigma) also allows backends to do more with their conversion process, including providing added output formats, such as Splunk Saved Search format for the Splunk pySigma backend.

For every backend, there exist 4 components – that perform or aid the conversion process.

Targets

Targets represent the type of query language you want to output the Sigma format in. This will usually be mapped one-to-one with every SIEM product.

bash
# List all locally available Sigma backends
sigma list targets

Make sure to install plugins

If you're not seeing any available targets, make sure you install the relevant Sigma plugin for your target SIEM. For a full list of installable backends, click here to view all Available Backends.

bash
# List available Sigma plugins
sigma plugin list

# Install the desired plugin
sigma plugin install {plugin}

"TODO Finish this section off "

Output Formats

To explore Output Formats in more detail, start by listing the available Output Formats by running the following command:

bash
sigma list formats {backend}
text
+---------------+----------------------------------------+
| Format        | Description                            |
+---------------+----------------------------------------+
| default       | Plain SIEM Queries                     |
| file_format   | Plain SIEM Queries in file_format.conf |
| macro_exam    | Completely different SIEM Format       |
+---------------+----------------------------------------+

Once you've found which output format works best for your conversion workflows, you can invoke it over the command line like so.

bash
sigma convert -t {target} -f {output_format} ./rules

Pipelines

WIP

Pipelines are the method by which pySigma allows fine-tuning to be applied to conversion. This documentation outlines what pipelines are, and how to use them in more detail over on the Pipelines documentation page.

Pipelines control things like field-mapping (mapping Sigma fields, to fields within your SIEM), logsource mapping (mapping Sigma logsources to logsources in your SIEM) & other operations.

To view all available pipelines – that are provided specifically by the backend, you can run sigma list pipelines.

bash
sigma list pipelines

You can specify multiple pipelines when converting Sigma rules, to perform more than one operation on

Validators

To explore Validators in more detail, start by listing the available Validators by running the following command:

bash
sigma list validators

Available Plugin

Below is a list of available Sigma Backends and Pipelines. If you come across any issues using any specific Sigma plugin, file an issue on the relevant Sigma Plugin's project page.

Azure Log Analytics Socprime

Development

Azure Log Analytics backend with Windows log support maintained by SOC Prime.

Project Website  |  File an Issue
bash
# Run the following to install the Azure Log Analytics Socprime backend into Sigma CLI.
sigma plugin install ala-socprime

CarbonBlack

Stable

Carbon Black backend that supports queries for both Enterprise EDR (fka Threat Hunter) and EDR (fka Response)

Project Website  |  File an Issue
bash
# Run the following to install the CarbonBlack backend into Sigma CLI.
sigma plugin install carbonblack

CortexXDR

Stable

Cortex XDR backend that generates XQL queries.

Project Website  |  File an Issue
bash
# Run the following to install the CortexXDR backend into Sigma CLI.
sigma plugin install cortexxdr

CrowdStrike

Stable

CrowdStrike Logscale backend and pipelines for CrowdStrike Falcon platform and Falcon Data Replicator (FDR) logs.

Project Website  |  File an Issue
bash
# Run the following to install the CrowdStrike backend into Sigma CLI.
sigma plugin install crowdstrike

Datadog

Testing

Datadog Cloud SIEM backend and pipeline for conversion of log sources to Datadog Query Syntax

Project Website  |  File an Issue
bash
# Run the following to install the Datadog backend into Sigma CLI.
sigma plugin install datadog

Dictquery

Stable

DictQuery backend to convert sigma to dictquery query strings

Project Website  |  File an Issue
bash
# Run the following to install the Dictquery backend into Sigma CLI.
sigma plugin install dictquery

Elasticsearch

Stable

Elasticsearch backend converting into Lucene, ES|QL (with correlations) and EQL queries, plain, embedded into DSL or as Kibana NDJSON.

Project Website  |  File an Issue
bash
# Run the following to install the Elasticsearch backend into Sigma CLI.
sigma plugin install elasticsearch

Hawk

Testing

HAWK.io MDR backend and pipeline for conversion of log sources to HAWK.io BETree queries.

Project Website  |  File an Issue
bash
# Run the following to install the Hawk backend into Sigma CLI.
sigma plugin install hawk

IBM QRadar AQL

Stable

IBM QRadar backend for conversion into AQL queries. Contains mappings for fields and logsources

Project Website  |  File an Issue
bash
# Run the following to install the IBM QRadar AQL backend into Sigma CLI.
sigma plugin install ibm-qradar-aql

InsightIDR

Stable

Rapid7 InsightIDR backend that generates LEQL queries.

Project Website  |  File an Issue
bash
# Run the following to install the InsightIDR backend into Sigma CLI.
sigma plugin install insightidr

Logpoint

Stable

Logpoint Pysigma Backend

Project Website  |  File an Issue
bash
# Run the following to install the Logpoint backend into Sigma CLI.
sigma plugin install logpoint

Loki

Stable

Loki backend for conversion into Loki LogQL queries (plain and ruler YAML for alerts) and pipelines with mappings for Grafana and promtail Sysmon data.

Project Website  |  File an Issue
bash
# Run the following to install the Loki backend into Sigma CLI.
sigma plugin install loki

Microsoft 365 Defender

Stable

Microsoft 365 Defender (formally mdatp) backend and pipeline for conversion of log sources with Sysmon field schema to Microsoft Advanced Hunting Queries in Kusto Query Language (KQL)

Project Website  |  File an Issue
bash
# Run the following to install the Microsoft 365 Defender backend into Sigma CLI.
sigma plugin install microsoft365defender

Netwitness

Testing

NetWitness Backend that generates application rules

Project Website  |  File an Issue
bash
# Run the following to install the Netwitness backend into Sigma CLI.
sigma plugin install netwitness

OpenSearch

Stable

Opensearch backend converting into Lucene queries and Opensearch alerting rules.

Project Website  |  File an Issue
bash
# Run the following to install the OpenSearch backend into Sigma CLI.
sigma plugin install opensearch

Panther

Development

Panther sdyaml backend

Project Website  |  File an Issue
bash
# Run the following to install the Panther backend into Sigma CLI.
sigma plugin install panther

PowerShell

Testing

PowerShell backend converting into PowerShell queries.

Project Website  |  File an Issue
bash
# Run the following to install the PowerShell backend into Sigma CLI.
sigma plugin install powershell

QRadar

Stable

IBM QRadar backend for conversion into AQL and extension packages.

Project Website  |  File an Issue
bash
# Run the following to install the QRadar backend into Sigma CLI.
sigma plugin install qradar

Quickwit

Development

Quickwit Backend

Project Website  |  File an Issue
bash
# Run the following to install the Quickwit backend into Sigma CLI.
sigma plugin install quickwit

SentinelOne

Stable

SentinelOne backend that generates Deep Visibility queries.

Project Website  |  File an Issue
bash
# Run the following to install the SentinelOne backend into Sigma CLI.
sigma plugin install sentinelone

SentinelOne PowerQuery

Stable

SentinelOne backend that generates PowerQuery queries.

Project Website  |  File an Issue
bash
# Run the following to install the SentinelOne PowerQuery backend into Sigma CLI.
sigma plugin install sentinelone-pq

Splunk

Stable

Splunk backend for conversion into SPL and tstats data model queries as plain queries and savedsearches.conf

Project Website  |  File an Issue
bash
# Run the following to install the Splunk backend into Sigma CLI.
sigma plugin install splunk

Sqlite

Testing

SQLite and Zircolite backend

Project Website  |  File an Issue
bash
# Run the following to install the Sqlite backend into Sigma CLI.
sigma plugin install sqlite

Stix

Development

STIX backend converting into plain STIX queries. Contains mappings for STIX 2.0 and STIX Shifter taxonomies.

Project Website  |  File an Issue
bash
# Run the following to install the Stix backend into Sigma CLI.
sigma plugin install stix

Trellix Helix

Development

Trellix Helix Backend

Project Website  |  File an Issue
bash
# Run the following to install the Trellix Helix backend into Sigma CLI.
sigma plugin install trellix_helix

Uberagent

Stable

uberAgent backend

Project Website  |  File an Issue
bash
# Run the following to install the Uberagent backend into Sigma CLI.
sigma plugin install uberagent