Sigma rules converter

The Sigma rule converter converts correlation rules into a format that KUMA can parse and facilitates importing simple rules to be refined by an analyst.

To use the Sigma rule converter:

1. Install the Sigma rule converter. The following installation options are available:
   • Installing the Sigma rule converter using docker + bash

     This type of installation is suitable for local installation of the converter web interface.

     Installation requires the latest versions of bash and docker. For detailed information about deployment, refer to the official documentation.

     Astra Linux 1.7 is not supported.

     To perform the installation:

     1. Enter the directory with the extracted archive and execute one of the following commands:

        • To install the converter on 0.0.0.0:8000,

          ./run.sh

        • To install the converter on 0.0.0.0:8888,

          ./run.sh <port (the default port is 8000)>

        • To install the converter on 127.0.0.1:9999,

          ./run.sh <

          IP address of the listening interface, by default 0.0.0.0. Specify 127.0.0.1 to run only on the local interface

          >:<

          port

          >

   • Installing the Sigma rule converter in an environment that allows running docker images

     This installation method uses the provided container and allows creating a systemd service and deploying the web interface using Kubernetes.

     Any tool can be used to run the container: docker, podman, cri-o, etc. The installation amounts to downloading the container image and then running the image and specifying a port.

     To install the converter using podman:

     1. Download the container image: 

        podman load --input "kuma-sigma-converter-x.x.x.tar

     2. Run the image in one of the following ways:
        • Run until Ctrl+C is pressed: 

          podman run --name=kuma-converter -p "8000:8000" -e "PORT=8000" --rm -it kuma-sigma-converter:x.x.x

        • Run in the background: 

          podman run --name=kuma-converter -p "8000:8000" -e "PORT=8000" --rm kuma-sigma-converter:x.x.x

     The converter is installed.

   • Installing the Sigma rule converter using Python 3.10 or later

     This method is the most flexible and suitable for experienced users because it lets you adapt the converter to your specific needs. Unlike other methods, this method requires an internet connection to download python packages.

     To install the converter:

     1. Make sure you have Python 3.10 or later installed.
     2. Install poetry, a Python dependency management tool. For Ubuntu or Debian, you can use the package manager:

        sudo apt-get update

        sudo apt install pipx

        pipx install poetry

     3. Use poetry to configure and run the web interface:

        cd sigconverter.io

        poetry install

        poetry run ./run.py

     4. In the browser, navigate to the host where the web interface is installed. For a local installation, the address is http://127.0.0.1:8000 or http://0.0.0.0:8000.
     5. If necessary, you can specify the

        HOST

        and 

        PORT environment variables to configure the listening interface and set the port number.

     The converter is installed.

     The converter is a plug-in for the pySigma framework, which means

     pySigma-backend-kuma

     can be used with other standard sigma tools, not just a custom version of

     sigconverter.io

     . For example:

     sigma-cli is a converter with a command line interface.

     sigconverter.io is the original generic web interface.

     The following are the README files for the libraries provided as source code:

     src/pySigma/README.md — industry standard sigma conversion framework and library.

     src/pySigma-backend-kuma/README.md — plug-in for pySigma that implements KUMA filter and query conversion.

     src/sigconverter.io/README.md — web user interface.

   After installation, log in to the web interface of the converter.

2. Prepare a correlation rule.

   Sigma rule requirements

   The predefined normalizers use event enrichment to lower case for fields containing user names, host names, and process names, therefore we recommend converting the relevant fields to lower case in the source Sigma rule, otherwise the KUMA rule will have to be adjusted.

   We do not recommend writing comments or additional information in the contains conditions and similar. If you need to leave a comment, we recommend using the # character, such comments do not affect the condition.

   The rule must begin with the word 'title' without hyphens before it.

   Copy the correlation rule that you want to edit from KUMA to the 'rule' tab of the converter. Select the settings in the drop-down lists as necessary. Fix any errors if necessary.

3. Copy the end result to KUMA if it is a query or a filter. If you want to use a rule in KUMA, you can import rules into KUMA one by one.
4. Restart the correlator to apply the changes.

Your edited correlation is applied in the correlator.