Version: 5.0

Sigma Rules

General Description

This section is designed for importing Sigma rules and automatically converting these rules into scheduled tasks in the Task Scheduler module.

The Sigma Rules page displays a list of rules available in the Search Anywhere Framework system.

To view a rule, click on its name.

Importing Rules

To import Sigma rules, click the Import button in the top right corner.

Select the required yaml file.

After this, the Sigma rule will appear in the list.

Automatic Conversion of Sigma Rule to Search Task

To create a new search task from a Sigma rule, click the Create Task button from the rule view window or the Create Task button in the actions menu in the rule list.

Next, a window will appear for configuring the rule conversion. You need to specify the source from which the search query will be built, as well as map the fields from the Sigma rule to the fields of the specified source.

After filling in the source and the field mappings, you can click the Preview Search Query button to check the correctness of the resulting sml query.

In this window, you can also select options for automatically creating an Incident Action in the search task and adding tags from the Sigma rule to the search task.

Click the Create Task button in the bottom right corner, and you will be taken to the search query creation page with pre-filled fields from the Sigma rule and the search query in sml syntax.

Fill in or edit the necessary fields and save the search task to complete the conversion.

General Description​

Importing Rules​

Automatic Conversion of Sigma Rule to Search Task​

General Description

Importing Rules

Automatic Conversion of Sigma Rule to Search Task