Skip to content

Sigma Queries turned into KQL for Defender using pysigma

Notifications You must be signed in to change notification settings

CodeByHarri/Sigma2KQL

Repository files navigation

Sigma2KQL

Sigma Queries turned into KQL for Defender using pysigma-backend-microsoft365defender

Reproducible Example:

!git clone https://github.com/SigmaHQ/sigma.git
!pip install pysigma-backend-microsoft365defender
import os, glob
path = 'sigma/rules/*/'
file_pattern = os.path.join(path,'*.yml')
file_list_a = glob.glob(file_pattern)

import yaml

def convert_to_string(yaml_dict):
    # We change default style of strings to None (it's '>' in PyYAML)
    # This means that PyYAML will choose style based on the data
    yaml.SafeDumper.org_represent_str = yaml.SafeDumper.represent_str
    def repr_str(dumper, data):
        if '\n' in data:
            return dumper.represent_scalar('tag:yaml.org,2002:str', data, style='|')
        return dumper.org_represent_str(data)
    yaml.add_representer(str, repr_str, Dumper=yaml.SafeDumper)

    yaml_str = yaml.dump(yaml_dict, default_flow_style=False, Dumper=yaml.SafeDumper)
    return yaml_str

from sigma.rule import SigmaRule
from sigma.backends.microsoft365defender import Microsoft365DefenderBackend
from sigma.pipelines.microsoft365defender import microsoft_365_defender_pipeline


for yml in detections_yml_paths:
  with open(yml) as yaml_file:
    try:
      yaml_contents = load(yaml_file, Loader=SafeLoader)
      # Define an example rule as a YAML str
      sigma_rule = SigmaRule.from_yaml(convert_to_string(yaml_contents))
      # Create backend, which automatically adds the pipeline
      m365def_backend = Microsoft365DefenderBackend()

      # Or apply the pipeline manually
      pipeline = microsoft_365_defender_pipeline()
      pipeline.apply(sigma_rule)

      # Convert the rule
      print(sigma_rule.title + " KQL Query: \n")
      kql_query = m365def_backend.convert_rule(sigma_rule)[0]
      print(kql_query)
      print("\n \n ")

      # Write the KQL query to a .kql file
      with open('/KQL/'+sigma_rule.title.replace(' ', '_') + '.kql', 'w') as kql_file:
        # Write metadata as comments
        kql_file.write(f'// Author: {yaml_contents.get("author", "")}\n')
        kql_file.write(f'// Date: {yaml_contents.get("date", "")}\n')
        kql_file.write(f'// Level: {yaml_contents.get("level", "")}\n')
        kql_file.write(f'// Description: {yaml_contents.get("description", "")}\n')
        # Here it's assumed that 'tags' is a list
        tags = yaml_contents.get("tags", [])
        kql_file.write(f'// Tags: {", ".join(tags) if tags else ""}\n')
        # Write the actual KQL query
        kql_file.write(kql_query)
        
    except:
      print(sigma_rule.title + " KQL Query: \n")
      print('SigmaTransformationError: Rule category not yet supported by the Microsoft 365 Defender Sigma backend.')

About

Sigma Queries turned into KQL for Defender using pysigma

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published