Sigma Rule Converter

将 Sigma 检测规则转换为 Splunk SPL、Microsoft KQL、Elastic EQL、QRadar AQL 和 Chronicle YARA-L

## 为什么？ SOC 团队编写检测规则，但每个 SIEM 使用的语言都不同。此工具接收单个 [Sigma 规则](https://github.com/SigmaHQ/sigma) 并将其转换为 **5 个主要 SIEM 平台** 的查询——因此您只需编写一次，即可随处部署。 ## 支持的后端 | Backend | Query Language | Platform | |---------|---------------|----------| | `splunk` | SPL | Splunk Enterprise / Cloud | | `sentinel` | KQL | Microsoft Sentinel / Defender XDR | | `elastic` | EQL / Lucene | Elastic SIEM / OpenSearch | | `qradar` | AQL | IBM QRadar | | `chronicle` | YARA-L 2.0 | Google Chronicle / SecOps | ## 快速开始 ``` # 安装 git clone https://github.com/abhiiibabariya-dev/sigma-rule-converter.git cd sigma-rule-converter pip install -r requirements.txt # 将单个规则转换为 Splunk SPL python -m sigma_converter.cli rules/examples/proc_creation_win_mimikatz.yml -t splunk # 转换为 Microsoft Sentinel KQL python -m sigma_converter.cli rules/examples/proc_creation_win_mimikatz.yml -t sentinel # 将目录中的所有规则转换为 Elastic EQL python -m sigma_converter.cli rules/examples/ -t elastic # 输出为带有 metadata 的 JSON python -m sigma_converter.cli rules/examples/ -t splunk --json # 将输出保存到文件 python -m sigma_converter.cli rules/examples/ -t qradar -o output.txt ``` ## 示例 **输入** -- Sigma 规则 (YAML): ``` title: Mimikatz Command Line Indicators level: critical logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - 'sekurlsa::logonpasswords' - 'lsadump::dcsync' condition: selection tags: - attack.credential_access - attack.t1003.001 ``` **输出** -- Splunk SPL: ``` `-- Sigma Rule: Mimikatz Command Line Indicators` `-- Level: critical | Status: stable` `-- MITRE ATT&CK: attack.credential_access, attack.t1003.001` index=wineventlog (process="*sekurlsa::logonpasswords*" OR process="*lsadump::dcsync*") ``` **输出** -- Microsoft Sentinel KQL: ``` // Sigma Rule: Mimikatz Command Line Indicators // Level: critical | Status: stable // MITRE ATT&CK: attack.credential_access, attack.t1003.001 SecurityEvent | where (CommandLine contains "sekurlsa::logonpasswords" or CommandLine contains "lsadump::dcsync") ``` **输出** -- Chronicle YARA-L: ``` rule mimikatz_command_line_indicators { meta: severity = "CRITICAL" mitre_attack = "attack.credential_access, attack.t1003.001" events: $e.target.process.command_line = /.*sekurlsa\:\:logonpasswords.*/ nocase $e.target.process.command_line = /.*lsadump\:\:dcsync.*/ nocase condition: $e } ``` ## 功能 - **5 个 SIEM 后端** -- Splunk、Sentinel、Elastic、QRadar、Chronicle - **Sigma 修饰符支持** -- `contains`、`startswith`、`endswith`、`re` - **条件逻辑** -- `and`、`or`、`not`、`1 of`、`all of` - **字段映射** -- 按平台自动翻译字段名 - **MITRE ATT&CK 标签** -- 保留在输出注释中 - **批量转换** -- 处理整个目录的规则 - **JSON 输出** -- 包含元数据的结构化输出，便于自动化 - **包含示例规则** -- PowerShell 下载、Mimikatz、可疑端口 ## 项目结构 ``` sigma-rule-converter/ ├── sigma_converter/ │ ├── __init__.py │ ├── parser.py # Sigma YAML parser │ ├── backends.py # SIEM query language backends │ └── cli.py # Command-line interface ├── rules/ │ └── examples/ # Example Sigma rules │ ├── proc_creation_win_powershell_download.yml │ ├── proc_creation_win_mimikatz.yml │ └── net_connection_win_suspicious_outbound.yml ├── tests/ │ └── test_converter.py # Unit tests ├── requirements.txt ├── setup.py └── README.md ``` ## 运行测试 ``` pip install pytest pytest tests/ -v ``` ## 许可证 MIT License - 详见 [LICENSE](LICENSE)。

标签：AMSI绕过, Chronicle YARA-L, Cloudflare, Elastic EQL, Microsoft KQL, MITRE ATT&CK, QRadar AQL, SecOps, Sigma规则转换, Splunk SPL, 云安全架构, 多平台适配, 威胁检测, 安全运营, 扫描框架, 文档结构分析, 查询转换, 检测规则, 管理员页面发现, 网络资产发现, 逆向工具