Automating the SIGMA Rule Conversion to KQL and Terraform for Microsoft Sentinel
TLDR; My Sigma2KQL GitHub Fork TLDR; My TerraSigma GitHub repo
I’ve set up two different repositories to serve two immediate needs I had in my day-to-day work.
- Leveraging SIGMA rules in my Microsoft Sentinel implementation without needing to manually write out each one.
- Deploying the SIGMA KQL detections as Terraform.
I started looking into KQL repositories in GitHub that provided coverage for the entire Sigma rules repository without having to start from scratch. I came across an interesting project from someone called CodeByHarri GitHub Repo. Though the repo was unmaintained it gave me a starting point to begin.
The Python script part of Harri’s codebase utilised the pySigma Python package to convert Sigma rules to a desired language. The script was leveraging a deprecated MS Defender 365 pySigma backend. I revitalised the repository through a fork by updating the Python script to utilise the current MS XDR backend (Kusto backend) to convert the rules from the Sigma repo that it supports. After fixing that I updated the documentation in my fork then created a pull request into the original repo.
You can my find my fork here: My Sigma2KQL GitHub Fork
Next challenge was creating a repo to convert these detections to Terraform code for continuous delivery into my Microsoft Sentinel instance via Terraform to leverage the state management, drift detection, and incremental detection deployment capabilities received from this.
I put together a pretty simple Python script that composed the KQL based Sigma rules into Terraform code, and a schema file with all the table dependencies for the detections for the script to utilise to understand which fields to map for entity mapping. This is a critical feature of Sentinel analytics and ensures triggered detections can relate to eachother and appear on the users activity timeline.
Proper entity mapping also empowers the powerful UEBA feature in Sentinel, though I do not use this currently. You can find the code for my GitHub repo with over 2000 scheduled analytics in Terraform code format to deploy to Microsoft Sentinel here: My TerraSigma GitHub repo
Starting KQL to Terraform conversion...
Input directory: KQL
Output directory: TF
Schemas loaded: 10 tables
================================================================================
Found 4450 KQL files
================================================================================
CONVERSION SUMMARY
================================================================================
Total KQL files: 4450
Successfully converted: 4450
Failed: 0
Conversions by MITRE Tactic:
Collection 86 rules
Command and Control 258 rules
Credential Access 246 rules
Defense Evasion 1464 rules
Discovery 274 rules
Execution 840 rules
Exfiltration 68 rules
Impact 98 rules
Initial Access 92 rules
Lateral Movement 62 rules
Persistence 468 rules
Privilege Escalation 434 rules
Reconnaissance 16 rules
Resource Development 44 rules
================================================================================
Success Rate: 100.00%
================================================================================
Output location: TF
Terraform files ready for deployment!
Converted KQL to TerraformWith these two repos created it enabled me to simply deploy all Kusto backend supported Sigma rules easily. But it also presented a new issue where the two repos would quickly become deprecated due to the constant development from Detection Engineers around the world contributing to the Sigma rules repo.
I decided to put both repos on a pipeline schedule that runs automatically each week to update themselves from the Sigma rules repository. Ensuring that the content provided to consumers of the repositories continues to up to date each week. Regardless of how many updates created to the sigma rules repo. After a few weeks of monitoring the pull requests I’ll set them to be automatically approved. Currently I just need to do that intervention once a week.
