Seamless Security: Automating SIGMA Rule Conversion with Generative AI

As security threats become more sophisticated and cyber environments more complex, it’s crucial to find better ways to manage security operations efficiently. Generative AI (GenAI) has been making waves for a few years now, but how can you harness its potential to streamline analyst workflows? One solution is using GenAI to automate tasks, like converting SIGMA rules into correlation rules. By automating translations, analysts not only cut down on human error but also speed up responses to potential threats, strengthening an organization’s overall security defenses.

Automating SIGMA Rule Translation with GenAI

Manually translating a SIGMA rule into a format compatible with a SIEM is time-consuming, error prone and requires an advanced level of familiarization with the data enrichment model the SIEM uses. Thanks to GenAI, analysts can significantly streamline the process through automation.

In this article, we will teach you how to leverage GenAI to automate the translation of SIGMA rules into next-gen correlation rules by Exabeam.  AI can interpret the logic in a SIGMA rule and, by leveraging predefined mappings, convert it into the specific query language that Exabeam uses for its correlation rules.

Automating SIGMA rule translation brings about several key advantages:

1. Efficiency and Speed: Automated translation allows security teams to create correlation rules much faster. Instead of manually interpreting each Sigma rule and writing the corresponding Exabeam query, GenAI can complete the task in seconds, with only a URL or a yml file uploaded.   

2. Consistency and Accuracy: Manual translations are prone to errors, especially when interpreting complex conditions or handling large-scale rules. GenAI ensures that the conversion is precise, following consistent mappings between SIGMA fields and Exabeam query language. For example, a SIGMA rule that looks for command-line inputs containing keywords like “iex” and “invoke-expression” can be automatically converted into Exabeam format:

This ensures that the same logic applies across different platforms, eliminating inconsistencies.

3. Scalability: As organizations grow,  the number of detection rules and platforms they need to manage does too. GenAI provides a scalable solution by automating the generation of these rules, reducing the workload for security analysts and allowing them to focus on more strategic tasks like threat hunting and incident response.

Key Components of AI-Driven Translation

Automating the translation process involves several steps. First, the AI interprets the SIGMA rule, understanding the detection logic, conditions, and field mappings. Using predefined mappings such as field conversions (e.g., CommandLine in SIGMA to command_line in Exabeam), it translates each component into its corresponding Exabeam query.

For instance, a SIGMA rule detecting suspicious dmp files, registry modifications or run keys:

Converts to:

This conversion, performed automatically with GenAI, ensures accuracy while maintaining the integrity of the detection logic.

Additional Usage of GenAI in Security Automation

Exabeam uses GenAI and machine learning in areas like alert prioritization, real-time anomaly detection, and automated threat hunting. The above is another example of how we can leverage a novel technology to further automate repeatable and error prone tasks.  This frees analysts and detection engineers from manual, time-consuming tasks to perform the work that only humans can and should do.

Automating SIGMA Rule Conversion with Generative AI

Like all GenAI tools you need to provide some input and a prompt.  The following case demonstrates a process using ChatGPT which can be provided with a set of instructions to convert SIGMA rules into Exabeam correlation rules. The conversion can be achieved by either pasting the URL of a SIGMA rule into the message bar, uploading a file directly to it, or copying and pasting the text and submitting it as part of the conversation. More details on this mapping process can be found in the appendix.

The following image demonstrates a URL submitted directly from Red Canary for a SIGMA rule in yml format.

Alternatively, we can directly provide a yml file for processing.

Lastly, we can copy and paste the contents of a SIGMA rule, and it will convert it into a correlation rule. 

Conclusion

The benefits of using GenAI to convert SIGMA rules to Exabeam correlation rules are centered around the consistency of results and time savings.  While this tool can be helpful to automate and standardize the conversion, we do need to ensure that the underlying technology didn’t hallucinate a solution.  It is recommended that you do not blindly take the output of these conversions and plug them directly into a production system, please review them to ensure accuracy. 

Appendix

The following prompt was used to instruct the target model to convert from native SIGMA syntax to Exabeam Correlation Rules. 

As a senior security engineer, I use specific mappings to interpret detection logic and convert it into query language based on detailed rules, ensuring all keys in the query are in lowercase. You will be reading URLs from the web.  The wildcard function (WLD) does not require explicit asterisks as these are implied. When creating correlation rules, rely on this mapping:

For FieldName leverage the field mapping section below.

For example:

Would translate to:

This would translate to:

And not:

SearchLogic:

re.regex -> RGX(“string”)
contains -> WLD(“string”)
wildcard -> WLD(“string”)
startswith -> RGX(“^string”)
endswith -> RGX(“string$”)
cidr -> [x.x.x.x/y]
all -> field_name: “item1” AND field_name : “item2” AND field_name : “itemN”
any -> field_name:(“item1″,”item2″,”item3”)
not -> AND NOT field_name: “item1”
and -> field_name: “item1” AND field_name2: “item2”
or -> field_name: “item2” OR field_name: “item1”

Field Mapping:

ScriptBlockText -> scriptblock_text
EventID -> event_code
LogonType -> logon_type
UserName -> user
SrcIP -> src_ip
DstIP -> dest_ip
ParentImage -> parent_process_name
ProcessName -> process_name
FilePath -> file_path
CommandLine -> command_line
RegistryKey -> registry_key
Hashes -> md5

If you do not have a direct mapping of a field from a SIGMA rule to an Exabeam correlation rule, please reference this website: https://github.com/ExabeamLabs/CIMLibrary/blob/main/Fields_Descriptions.md. Or ask the user for clarity.