All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to convert from Splunk to SIGMA?

pritster5
Engager
‎04-20-2022 10:48 AM

Via Sigma (rule format for SIEM's) converters, it is possible to convert Sigma rules to Splunk queries. 

This is a well established process and can be done through tools like: https://github.com/SigmaHQ/pySigma 
or https://github.com/SigmaHQ/sigma

My question is, is there any way to do the reverse?
Is there a way to convert Splunk queries into Sigma Rules?

Labels (2)
Labels
Tags (2)
0 Karma
Reply

afroemmel_splun
Splunk Employee
Splunk Employee
‎02-15-2023 11:02 AM

In case this is still a topic: https://www.patrick-bareiss.com/sigma2splunkalert-tutorial/

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2022 09:20 AM

As with any such abstract tools, I'd advise strongly against using it.

I tested the sigmac some time ago and it produced an extremely ugly searches and didn't support a huge subset of the sigma rules specification.

I also doubt that fairly useful functionality the opposite way (splunk to sigma rules) is possible. Maybe for some small subset of spl commands and constructs but - as the infamous example of "spl for sql users" shows, automatic translation is simply producing bad results.

0 Karma
Reply

Azeemering
Builder
‎04-25-2022 09:39 AM

You are right....I normally use the Sigma searches as inspiration and use them to create and tailor a search for my own environment and specific needs. You need to look beyond the ugliness of the translation and find the detection gems in them.

0 Karma
Reply

Azeemering
Builder
‎04-25-2022 08:51 AM

I always user www.uncoder.io  but that does not work from Splunk to Sigma unfortunately.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...