Threat Alert Logic Repository
A public repository for the collection and sharing of detection rules in STIX format. Collected rules are appended with STIX required fields for simplified sharing over TAXII servers.
Contains tools useful for translating rules from STIX to Sigma, and automating their ingestion/translation.
Sharing SIEM Rules via STIX/TAXII, which enables:
Only required if using tools.
sudo apt-get install python3
sudo apt-get install python3-pip
pip3 install json2yaml
pip3 install sigmatools
sudo apt-get install figlet
stix2sigmac will parse through a STIX bundle, locate the detection rules, store them locally in yaml, and translate them to the SIEM query syntax specified.
To test this, we have made 2 bundles available in the /Bundles directory.
To unpack these bundles, run stix2sigmac against them, using the following syntax:
./stix2sigmac import [PRODUCT_TYPE or CATEGORY or SERVICE or ATTACK_TACTIC] [/DIRECTORY/WITH/STIX_BUNDLE/] [BUNDNLE_NAME.json] [/DIRECTORY/TO/PLACE_RULES/] [SIEM] [BACKEND_OPTIONS]
For [SIEM]
and [BACKEND_OPTIONS]
options available, please refer to the Sigma Tools page. Note: If using multiple backend options, comma seperate. If using none, simply write "none"
Example Steps to use stix2sigmac to unpack a bundle: (Tested on Ubuntu 18.04.1 with all requirements installed)
git clone https://github.com/SecurityRiskAdvisors/TALR.git
cd /location/of/repository/Tools/stix2sigmac
chmod +x stix2sigmac
./stix2sigmac import windows ../../Bundles/ sra_bundle.json /LOCATION/OF/EXPORT/ splunk -Orulecomment=True
Execution should look like this:
Nick Ascoli, Zachary Santoro, Brandon Martin, Tyler Fredrick, Kevin Foster
Slides from "Keeping Up With the Joneses: SIEM Rules Edition"