cisagov
Sigma-to-Kibana detections
https://mitreattack-python.readthedocs.io/en/latest/mitre_attack_data/mitre_attack_data.html
We have a working script that converts sigma rules to ElastAlert. Validation testing this script.
Have ElastAlert monitor index that houses alerts from within Kibana and send notifications. We can add sigma rule alerts to this index.
Proof of concept here proved -- but with a shift to make this much cleaner.
You can monitor the kibana alerts index using a rule like this:
name: Rollup Kibana Native Security Alerts
type: any
index: .alerts-security.alerts-*
filter:
- range:
"@timestamp":
gte: "now-5m"
- query_string:
query: "kibana.alert.rule.name:*"
realert:
minutes: 0
aggregation:
minutes: 0
# Import the Slack alert configuration
import: slack_alert
You can always build more alerts as needed - but what this does is allow you to utilize the hundreds of alerts that already come with kibana.
in this scenario every 5 minutes the rule will check if any alerts have happened in the last 5 minutes. It will then send that information to the endpoint of your choice. If its multiple alerts they will all be rolled up into one report. This is ALL you have to configure in elastalert. All other configuration would be performed in kibana -> security -> rules
Sigma to Kibana Rules
Prerequisites:
# Clone the Sigma repository
git clone https://github.com/SigmaHQ/sigma.git ~/sigma
# Install sigma-cli and elasticsearch backend
pip install sigma-cli
sigma plugin install elasticsearch
Convert Windows:
find ~/sigma/rules/windows -type f -name "*.yml" > windows_rules.txt
sigma convert -t lucene -p ecs_windows -f siem_rule_ndjson $(cat windows_rules.txt) > windows_rules.ndjson
sed -i 's/"tags": \[[^]]*\]/"tags": \["Sigma Windows"\]/g; s/"severity": "informational"/"severity": "low"/g; s/"enabled": true/"enabled": false/g' windows_rules.ndjson
Convert Linux:
find ~/sigma/rules/linux -type f -name "*.yml" > linux_rules.txt
# Use --without-pipeline since there's no dedicated Linux pipeline
sigma convert -t lucene --without-pipeline -f siem_rule_ndjson $(cat linux_rules.txt) > linux_rules.ndjson
sed -i 's/"tags": \[[^]]*\]/"tags": \["Sigma Linux"\]/g; s/"severity": "informational"/"severity": "low"/g; s/"enabled": true/"enabled": false/g' linux_rules.ndjson
Convert macOS:
find ~/sigma/rules/macos -type f -name "*.yml" > macos_rules.txt
# Use --without-pipeline since there's no dedicated macOS pipeline
sigma convert -t lucene --without-pipeline -f siem_rule_ndjson $(cat macos_rules.txt) > macos_rules.ndjson
sed -i 's/"tags": \[[^]]*\]/"tags": \["Sigma macOS"\]/g; s/"severity": "informational"/"severity": "low"/g; s/"enabled": true/"enabled": false/g' macos_rules.ndjson
We can then upload these ndjsons to the kibana detection rules. They will be disabled by default and tagged with Sigma Type.. like "Sigma Windows"
We need to decide on if we just want to include these ndjson's in the codebase -- I think it would be the easiest method. The same thing we do with dashboards -- during install we just import the ndjson with the api...
https://www.elastic.co/docs/api/doc/kibana/operation/operation-importrules
Basic example:
curl -X POST "${KIBANA_URL}/api/detection_engine/rules/_import" \
-H 'kbn-xsrf: true' \
-H "Content-Type: multipart/form-data" \
-u "${USERNAME}:${PASSWORD}" \
-F "file=@windows_rules.ndjson"
Exploring adding this to an ansible playbook to automate the installation.