Skip to content

nNipsx-Sec/pySigma-backend-qradar

BranchesTags

Repository files navigation

Tests Status

Overview

This is the Qradar backend for pySigma, capable of converting Sigma rules into two type: Ariel Query Language and Extension Package compatible with the Qradar SIEM. It provides the package sigma.backends.qradar with the QradarBackend class. Further, it contains the following processing pipelines in sigma.pipelines.qradar:

  • qradar_windows: Qradar Windows log support. Applied automatically in default output format.
  • qradar_exetension: Generate Extension package rules for Qradar; Easier for deploy rules as a part of Detection as Code will release in near furture. Applied automatically in extension output format.

Installation

Qradar Backend is now part of Sigma CLI. Run command below

python -m pip install sigma-cli

Ref: https://github.com/SigmaHQ/sigma-cli

pySigma Qradar Backend

This is the Qradar backend for pySigma. It provides the package sigma.backends.qradar with the QradarBackend class. Further, it contains the following processing pipelines in sigma.pipelines.qradar:

  • qradar_windows: Qradar Windows log support. Applied automatically in default output format.
  • qradar_exetension: Generate Extension rules for Qradar; Easier for deploy rules as a part of Detection as Code will release in near furture. Applied automatically in extension output format.

Output Format Support

It supports the following output formats:

  • default: Qradar AQL queries
  • extension: Create Extensions rules for Qradar. (Support only Qradar v7.4.0)

Contributor

This backend is currently maintained by:

  • nNipsx aka Duc.Le from GTSC Team

Supported by:

  • Dinh.Bui, Tuan.Le, Hieu.Le, Khanh.Dao, Hue.Vu - Tilyx Team

Special thanks to thomaspatzke

How it work

Qradar Extension Package

With new feature for Qradar is Extensions Qradar have two type rules is Building Blocks and Rules. Base on that Qradar Backend Extension convert put all rule conditions to Building Blocks then create Rules contain this building block for easier manage and add whitelist when tuning rules. Example:

image BB

Image Rules

With Qradar Extension, Product (Ex: Windows, Linux, ..) and EventID will convert to LogSourceID and QID provide by Qradar; it's increase performance when processing logs and trigger rules for Qradar

Usage example

Sigma CLI

You can quickly convert a single rule or rules in a directory structure using Sigma CLI. You can use: Qradar Backend Extension

sigma convert -t qradar -f extension -o rules-extension.zip tests/files/sigma_rule.yml

Qradar AQL -> Default

sigma convert -t qradar tests/files/sigma_rule.yml

Limitations and Constraints

The Qradar Backend now just support only Windows product.

Recommend testing extensions in UAT or Dev/test enviroments

About

pySigma-backend-qradar

Resources

Readme

License

LGPL-2.1 license
Activity

Stars

9 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases 11

v0.3.3 Update allowed SIEM pipelines Latest
Feb 22, 2023
+ 10 releases

Sponsor this project

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages