Create and Update Sigma Security Content Directly From The Web
https://sigmahq.streamlit.app/Introduction
The core of Sigma has always been about sharing detections and helping people around the globe improve their defensive posture by leveraging the many kind of detections hosted on SigmaHQ and other repositories provided by the many contributors in the Sigma community.
The vendor agnostic nature of Sigma rules and their easy to write syntax makes it a very attractive to use by vendors and analysts alike.
In an effort to bring Sigma to a wider audience and make it easier for people to create such detections we’re delighted to introduce the SigmaHQ GUI tool. A tool built specifically to easily create and update Sigma Security Content.
Before we get started, I just wanna give a huge shutout and thank you to Michael Haag who basically helped build all of this and really kicked this project off the ground.
A big thanks goes to Harrison Van Riper as well for offering his expertise and providing the OpenAI integration script.
Exciting Features
At its core this tool aims to streamline the Sigma rule creation and update process, as well as introduce Sigma rules to a whole new set of people who might be new to the detection engineering field and are building their first detection rule.
Rule CreationThe tool allows users to either
- Create a new Sigma Rule from scratch.
- Update existing SigmaHQ rules.
Both process are straightforward with just some slight differences between them that will be highlighted below.
Creating / Updating a Rule
A Sigma rule mainly consists of 2 main parts. The “Metadata” data section which includes things like the “title”, “author”, “references”, etc. And the “Detection” section, which describes the logic of what we want to detect.
The tool is structured in a similar manner. Where you have all the metadata fields on the side bar with some quality of life features such as drop down menus for both “level” and “logsource” fields.
Metadata FieldsWhile the “detection” take center stage with its own editor that offers, syntax highlighting, semi-autocomplete of already typed fields and VsCode key bindings.
Detection FieldThe output of the rule is rendered in real time as you’re filling the data.
Sigma OutputUpdating an existing rules comes with an additional field that let’s you select or search for a rule either by its Filename or UUID.
Searching For Rules⚙️YAML Generation on The Fly
Download Rules From With a Click Of a Button
Once a rule has been created and its ready to shipped or contributed. You can immediately with a click of a button download it and start the contribution process.
Generated YAMLs✔️Rule Validation
Validate your rule and make sure they’re compliant with the SigmaHQ standard implementation.
The Sigma repository on GitHub integrates a test script in the CI pipeline to ensure that all rules achieve a certain quality. We transferred some of these tests in this initial version to help user validate their created rules immediately in the browsers and we’ll be adding more over time.
Issues highlighted by the rule validation script
Rule passed the validation successfully⏳Automatic and Quick Conversion Via sigconverter.io
Access sigconverter.io for a quick, easy and immediate rule conversion.
The YAML Sigma rule viewer offers a “copy to clipboard” feature that let’s you copy the rule that you can paste into sigconverter and immediately convert it into one of the many available backends.
https://sigconverter.io/OpenAI Integration
Automatically generate “Title” and “Description” content by using AI.
Often time filling the “Title” and “Description” metadata fields can be tricky. Especially if you’re starting with blank slate.
The OpenAI integration aims to help users in this step. Where anyone with a valid OpenAI API key, can leverage a built-in model that understand Sigma rules and will infere a “Title” and “Description” based on the “Detection” section of the rule.
The AI will not be a perfect solution, but it’s aim is to offer a starting point that users can tweak to help in describing their logic to analysts.
Help Tabs
If you’re new the Sigma ecosystem we offer a getting started tab with helpful links on the different fields that you’ll need, as well as the complete list of the logsource taxonomy. So that you can easily find which logsource maps to which use case you want to build.
Privacy and OpenSource
SigmaHQ GUI is completely open source, designed with privacy as a core value and free forever. You can grab the full source here and inspect it or modify it to your liking.
Currently the tool is hosted on the streamlit community cloud, but you can host your own version locally using the streamlit library.
Next Steps?
The Sigma community and ecosystem is growing by the day, thanks to the many users and contributors around the globe. We hope the new SigmaHQ GUI will spread the Sigma word even further, and we’re excited about the journey ahead.
We’ll keep enhancing, adding more features and quality of life improvements to make this the one stop shop for Sigma rule creation.
Thanks once again to Michael Haag and Harrison Van Riper for their valuable help in building this.
Introducing SigmaHQ Rule Creation GUI was originally published in Sigma_HQ on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: Introducing SigmaHQ Rule Creation GUI | by Nasreddine Bencherchali | Sigma_HQ