All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to convert from Splunk to SIGMA?

pritster5
Engager
‎04-20-2022 10:48 AM

Via Sigma (rule format for SIEM's) converters, it is possible to convert Sigma rules to Splunk queries. 

This is a well established process and can be done through tools like: https://github.com/SigmaHQ/pySigma 
or https://github.com/SigmaHQ/sigma

My question is, is there any way to do the reverse?
Is there a way to convert Splunk queries into Sigma Rules?

Labels (2)
Labels
Tags (2)
0 Karma
Reply

afroemmel_splun
Splunk Employee
Splunk Employee
‎02-15-2023 11:02 AM

In case this is still a topic: https://www.patrick-bareiss.com/sigma2splunkalert-tutorial/

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-25-2022 09:20 AM

As with any such abstract tools, I'd advise strongly against using it.

I tested the sigmac some time ago and it produced an extremely ugly searches and didn't support a huge subset of the sigma rules specification.

I also doubt that fairly useful functionality the opposite way (splunk to sigma rules) is possible. Maybe for some small subset of spl commands and constructs but - as the infamous example of "spl for sql users" shows, automatic translation is simply producing bad results.

0 Karma
Reply

Azeemering
Builder
‎04-25-2022 09:39 AM

You are right....I normally use the Sigma searches as inspiration and use them to create and tailor a search for my own environment and specific needs. You need to look beyond the ugliness of the translation and find the detection gems in them.

0 Karma
Reply

Azeemering
Builder
‎04-25-2022 08:51 AM

I always user www.uncoder.io  but that does not work from Splunk to Sigma unfortunately.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...