Sigma Rules Integration

Convert community detection rules to Falco and LogQL formats.

Overview

Sigma is the universal language for security detection rules. SIB includes a converter that transforms Sigma rules into:

Falco rules — For runtime detection
LogQL alerts — For log-based detection in Loki

This means you’re not locked into any single detection format. The entire Sigma rule ecosystem is available to you.

Quick Start

# Convert all Sigma rules in sigma/rules/
make convert-sigma

# Convert a specific rule
./sigma/sigma2sib.py sigma/rules/crypto_mining.yml

Included Sample Rules

SIB includes several example Sigma rules:

Rule	Description	MITRE Tactic
`crypto_mining.yml`	Detects cryptocurrency miners	Impact (T1496)
`shadow_access.yml`	Password file access	Credential Access (T1003)
`ssh_keys.yml`	SSH private key access	Credential Access (T1552)
`reverse_shell.yml`	Reverse shell patterns	Execution (T1059)
`container_escape.yml`	Container breakout attempts	Privilege Escalation (T1611)

Adding Sigma Rules

From SigmaHQ Repository

The SigmaHQ rules repository contains thousands of community rules.

# Clone the Sigma rules repo
git clone https://github.com/SigmaHQ/sigma.git /tmp/sigma

# Copy rules you want
cp /tmp/sigma/rules/linux/process_creation/*.yml sigma/rules/

# Convert to SIB format
make convert-sigma

Custom Rules

Create your own Sigma rules in sigma/rules/:

title: Detect Base64 Encoded Payload Execution
id: 12345678-1234-1234-1234-123456789abc
status: experimental
description: Detects execution of base64 encoded commands
author: Your Name
date: 2024/01/15
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|contains:
            - 'base64 -d'
            - 'base64 --decode'
    condition: selection
falsepositives:
    - Legitimate admin scripts
level: medium
tags:
    - attack.execution
    - attack.t1059

Converter Output

Running make convert-sigma generates:

Falco Rules

# Generated from sigma/rules/crypto_mining.yml
- rule: Sigma - Cryptocurrency Mining Activity
  desc: Detects cryptocurrency mining processes
  condition: >
    spawned_process and 
    (proc.name in (xmrig, minerd, cpuminer) or
     proc.cmdline contains "stratum+tcp")
  output: >
    Cryptocurrency mining activity detected 
    (user=%user.name command=%proc.cmdline container_id=%container.id)
  priority: WARNING
  tags: [sigma, mitre_impact, T1496]

LogQL Alerts

# For Loki alerting
groups:
  - name: sigma_rules
    rules:
      - alert: CryptocurrencyMiningActivity
        expr: |
          count_over_time({job="falco"} 
            |~ "xmrig|minerd|cpuminer|stratum" [5m]) > 0
        for: 1m
        labels:
          severity: warning
        annotations:
          summary: Cryptocurrency mining detected

Using Converted Rules

Add to Falco

# Append to custom rules
cat sigma/output/falco_rules.yaml >> detection/config/rules/custom_rules.yaml

# Restart to apply
make restart

Add to Loki Alerting (Grafana Stack)

# Copy to Loki config
cp sigma/output/logql_alerts.yaml storage/config/rules/

# Restart Loki
docker compose -f storage/compose-grafana.yaml restart loki

Note: This applies to the Grafana stack (STACK=grafana). For VictoriaLogs, use LogsQL alerts with -o logsql.

Sigma Rule Syntax

Basic Structure

title: Rule Name
id: unique-uuid
status: experimental|test|stable
description: What this rule detects
author: Author Name
date: YYYY/MM/DD
logsource:
    category: process_creation|file_event|network_connection
    product: linux|windows|macos
detection:
    selection:
        FieldName: value
        FieldName|modifier: value
    condition: selection
level: informational|low|medium|high|critical
tags:
    - attack.tactic
    - attack.technique_id

Detection Modifiers

Modifier	Description	Example
`contains`	Substring match	`CommandLine\|contains: wget`
`startswith`	Prefix match	`FilePath\|startswith: /tmp`
`endswith`	Suffix match	`FileName\|endswith: .sh`
`re`	Regex match	`CommandLine\|re: .base64.`
`all`	All values must match	`selection\|all: true`

Conditions

# Simple
condition: selection

# Multiple selections with AND
condition: selection1 and selection2

# Multiple selections with OR
condition: selection1 or selection2

# Negation
condition: selection and not filter

# Aggregation
condition: selection | count() > 10

Supported Sigma Categories

The converter supports these Sigma log sources:

Category	Maps to
`process_creation`	Falco spawned_process events
`file_event`	Falco file activity events
`network_connection`	Falco network events
`syslog`	Loki syslog stream
`auditd`	Loki audit logs

Troubleshooting

Conversion Fails

Check rule syntax:

# Validate YAML
python3 -c "import yaml; yaml.safe_load(open('sigma/rules/myrule.yml'))"

Rule Doesn’t Trigger

Verify the rule is in Falco:

docker exec sib-falco cat /etc/falco/rules.d/custom_rules.yaml | grep "rule name"

Check Falco logs:
```
make logs-falco
```
Generate a matching event manually and watch logs

False Positives

Add filters to the Sigma rule:

detection:
    selection:
        CommandLine|contains: wget
    filter:
        User: backup_user
    condition: selection and not filter

Resources

← Back to Home

Sigma Rules - SIEM in a Box

A complete security monitoring stack you can deploy with one command. Runtime security detection with Falco, log aggregation with VictoriaLogs, and visualization with Grafana.