All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert from Splunk to SIGMA?

pritster5
Engager
‎04-20-2022 10:48 AM

Via Sigma (rule format for SIEM's) converters, it is possible to convert Sigma rules to Splunk queries. 

This is a well established process and can be done through tools like: https://github.com/SigmaHQ/pySigma 
or https://github.com/SigmaHQ/sigma

My question is, is there any way to do the reverse?
Is there a way to convert Splunk queries into Sigma Rules?

Labels (2)
Labels
Tags (2)
0 Karma
Reply

afroemmel_splun
Splunk Employee
Splunk Employee
‎02-15-2023 11:02 AM

In case this is still a topic: https://www.patrick-bareiss.com/sigma2splunkalert-tutorial/

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2022 09:20 AM

As with any such abstract tools, I'd advise strongly against using it.

I tested the sigmac some time ago and it produced an extremely ugly searches and didn't support a huge subset of the sigma rules specification.

I also doubt that fairly useful functionality the opposite way (splunk to sigma rules) is possible. Maybe for some small subset of spl commands and constructs but - as the infamous example of "spl for sql users" shows, automatic translation is simply producing bad results.

0 Karma
Reply

Azeemering
Builder
‎04-25-2022 09:39 AM

You are right....I normally use the Sigma searches as inspiration and use them to create and tailor a search for my own environment and specific needs. You need to look beyond the ugliness of the translation and find the detection gems in them.

0 Karma
Reply

Azeemering
Builder
‎04-25-2022 08:51 AM

I always user www.uncoder.io  but that does not work from Splunk to Sigma unfortunately.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top