├── LogRhythm.yml
└── README.md


/LogRhythm.yml:
--------------------------------------------------------------------------------
  1 | title: LogRhythm Field Mapping
  2 | # order: 20
  3 | 
  4 | #
  5 | 
  6 | User: 43 #User = 43
  7 | username: 43
  8 | EventID: 37 #VendorMsgID = 37
  9 | event_id: 37
 10 | Hashes: 138 #Hash = 138
 11 | src_ip: 18 #SIP = 18
 12 | c-ip: 18
 13 | cs-ip: 18
 14 | dst_ip: 19 #DIP = 19
 15 | src_port: 27 #DPort = 27
 16 | dst_port: 26 #SPort = 26
 17 | ProcessId: 109 #PID = 109
 18 | cs_url: 42 #URL = 42
 19 | Version: 111 #Version = 111
 20 | # Parent image is parsed into two fields for Sysmon: ParentProcessName (taskeng.exe) and ParentProcessPath (C:\Windows\System32)
 21 | ParentImage: 
 22 |   - 146 #ParentProcessName = 146 
 23 |   - 147 #ParentProcessPath = 147
 24 | Command: 112 #Command = 112 
 25 | ParentProcessId: 145 #ParentProcessId = 145
 26 | TargetObject: 34 #Object = 34
 27 | Image: 34 #Object = 34
 28 | mac: 132 #MAC = 132
 29 | SourceImage:
 30 |   - 146 #ParentProcessName = 146 
 31 |   - 147 #ParentProcessPath = 147
 32 | QueryName: 113 #ObjectName = 113 for Sysmon 22
 33 | QueryResult: 141 #Result = 141 for Sysmon 22
 34 | sc-bytes: 59 #BytesOut = 59
 35 | c-useragent: 144 #UserAgent = 144
 36 | TargetFilename: # For Sysmon 11
 37 |   - 33 #Subject = 33
 38 |   - 43 #Object = 34
 39 | 
 40 | #Address = 44
 41 | #Amount = 64
 42 | #Application = 97
 43 | #MsgClass = 10
 44 | #CommonEvent = 11
 45 | #Direction = 2
 46 | #Duration = 62
 47 | #Group = 38
 48 | #BytesIn = 58
 49 | #BytesOut = 59
 50 | #BytesInOut = 95
 51 | #DHost = 100
 52 | #Host = 98
 53 | #SHost = 99
 54 | #ItemsIn = 60
 55 | #ItemsOut = 61
 56 | #ItemsInOut = 96
 57 | #DHostName = 25
 58 | #HostName = 23
 59 | #SHostName = 24
 60 | #KnownService = 16
 61 | #DInterface = 108
 62 | #Interface = 133
 63 | #SInterface = 107
 64 | #IP = 17
 65 | #DIPRange = 22
 66 | #IPRange = 20
 67 | #SIPRange = 21
 68 | #KnownDHost = 15
 69 | #KnownHost = 13
 70 | #KnownSHost = 14
 71 | #Location = 87
 72 | #SLocation = 85
 73 | #DLocation = 86
 74 | #MsgSource = 7
 75 | #Entity = 6
 76 | #RootEntity = 136
 77 | #MsgSourceType = 9
 78 | #DMAC = 104
 79 | #SMAC = 103
 80 | #Message = 35
 81 | #MPERule = 12
 82 | #DNATIP = 106
 83 | #NATIP = 126
 84 | #SNATIP = 105
 85 | #DNATIPRange = 125
 86 | #NATIPRange = 127
 87 | #SNATIPRange = 124
 88 | #DNATPort = 115
 89 | #NATPort = 130
 90 | #SNATPort = 114
 91 | #DNATPortRange = 129
 92 | #NATPortRange = 131
 93 | #SNATPortRange = 128
 94 | #DNetwork = 50
 95 | #Network = 51
 96 | #SNetwork = 49
 97 | #Login = 29
 98 | #IDMGroupForLogin = 52
 99 | #Priority = 3
100 | #Process = 41
101 | #Protocol = 28
102 | #Quantity = 63
103 | #Rate = 65
104 | #Recipient = 32
105 | #Sender = 31
106 | #Session = 40
107 | #Severity = 110
108 | #Size = 66
109 | #Port = 45
110 | #DPortRange = 47
111 | #PortRange = 48
112 | #SPortRange = 46
113 | #Account = 30
114 | #IDMGroupForUser = 54
115 | #SZone = 93
116 | #DZone = 94
117 | #FilterGroup = 1000
118 | #PolyListItem = 1001
119 | #Domain = 39
120 | #DomainOrigin = 137
121 | #Policy = 139
122 | #VendorInfo = 140
123 | #ObjectType = 142
124 | #CVE = 143
125 | #SerialNumber = 148
126 | #Reason = 149
127 | #Status = 150
128 | #ThreatId = 151
129 | #ThreatName = 152
130 | #SessionType = 153
131 | #Action = 154
132 | #ResponseCode = 155
133 | #UserOriginIdentityID = 167
134 | #Identity = 160
135 | #UserImpactedIdentityID = 168
136 | #SenderIdentityID = 169
137 | #RecipientIdentityID = 170
138 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Sigma
 2 | Convert Sigma rules to LogRhythm searches
 3 | 
 4 | Conversion from Sigma rules to LogRhythm searches can be done by referencing the LogRhythm.yml file to map Sigma fields to LogRhythm filterTypes for use with the LogRhythm Search API. An example of a Sigma rule and the equivalent LogRhythm API search is provided below.
 5 | 
 6 | Currently, the conversion from Sigma Rule to LogRhythm Search may be done through a manual process. LogRhythm Search API posts are made in JSON format. LogRhythm Search API documentation can be found at https://community.logrhythm.com/ and on your LogRhythm deployment at http://:8505/lr-search-api/docs.
 7 | 
 8 | Sigma searches can also be run in the LogRhythm Web Console or Thick Client. The LogRhythm.yml file also contains comments that map Sigma fields to LogRhythm fields.
 9 | 
10 | Any updates or additions are welcome.
11 | 
12 | # Example Sigma rule
13 | title: WMI Event Subscription
14 | id: 0f06a3a5-6a09-413f-8743-e6cf35561297
15 | status: experimental
16 | description: Detects creation of WMI event subscription persistence method
17 | tags:
18 |     - attack.t1084          # an old one
19 |     - attack.persistence
20 |     - attack.t1546.003
21 | author: Tom Ueltschi (@c_APT_ure)
22 | date: 2019/01/12
23 | logsource:
24 |     product: windows
25 |     service: sysmon
26 | detection:
27 |     selector:
28 |         EventID:
29 |             - 19
30 |             - 20
31 |             - 21
32 |     condition: selector
33 | falsepositives:
34 |     - exclude legitimate (vetted) use of WMI event subscription in your network
35 | level: high
36 | 
37 | # Equivalent LogRhythm Search API JSON
38 | {
39 |     "maxMsgsToQuery": 10000,
40 |     "logCacheSize": 10000,
41 |     "queryTimeout": 60,
42 |     "queryRawLog": true,
43 |     "queryEventManager": false,
44 |     "dateCriteria": {
45 |         "useInsertedDate": false,
46 |         "lastIntervalValue": 30,
47 |         "lastIntervalUnit": 4
48 |     },
49 |     "queryLogSources": [],
50 |     "queryFilter": {
51 |         "msgFilterType": 2,
52 |         "isSavedFilter": false,
53 |         "filterGroup": {
54 |             "filterItemType": 1,
55 |             "fieldOperator": 1,
56 |             "filterMode": 1,
57 |             "filterGroupOperator": 0,
58 |             "filterItems": [
59 |                 {
60 |                     "filterItemType": 0,
61 |                     "fieldOperator": 0,
62 |                     "filterMode": 1,
63 |                     "filterType": 37,
64 |                     "values": [
65 |                         {
66 |                             "filterType": 37,
67 |                             "valueType": 4,
68 |                             "value": {
69 |                                 "value": "19",
70 |                                 "matchType": 0
71 |                             },
72 |                         },
73 |                         {
74 |                             "filterType": 37,
75 |                             "valueType": 4,
76 |                             "value": {
77 |                                 "value": "20",
78 |                                 "matchType": 0
79 |                             },
80 |                         },
81 |                         {
82 |                             "filterType": 37,
83 |                             "valueType": 4,
84 |                             "value": {
85 |                                 "value": "21",
86 |                                 "matchType": 0
87 |                             },
88 |                         }
89 |                     ],
90 |                 }
91 |             ],
92 |         }
93 |     },
94 | }
95 | 


--------------------------------------------------------------------------------