Importing Sigma security rules

The Sigma format is a standard unified language for describing log-based incident detection rules. In particular, Sigma rules can be used to create and share standardized detection rules that can be used regardless of the SIEM or system.

They are written in a text file in YAML format and sent to SES Evolution via its public API by a SIEM or a security administrator. For more information, see the Sigma Documentation.

Stormshield has developed two import scripts used to send Sigma rules to the SES Evolution API, convert them to SES Evolution rules, and deploy them to the agents.

If you want to use API requests directly without the help of Stormshield scripts, see Enabling and managing SES Evolution's public API and the API documentation.

You can enable Sigma security rules via advanced protection: Sigma advanced protection.

  • For security reasons, use only official scripts provided and signed by Stormshield.

  • The SES Evolution root certification authority must be present on the machine where the Sigma rule import scripts are running. This ensures that the communication between the backend and the workstation is trusted and that the API key will never be passed on to a third party. For more information, see Importing Sigma security rules.

    NOTE
    Machines hosting SES Evolution back office components already have the required certification authority.

  • Sigma rules imported into SES Evolution must be detection rules of the Windows log event or Windows process creation type, or filter rules.

  • You must have an API key with Policy usage. For more information, see Enabling and managing SES Evolution's public API.
    Make sure you only share this key with people you trust.

  • For security reasons, in Windows, the script requires a version of the PSReadline module higher than 2.0.4. For more information, see the Microsoft Documentation.

  • Under Linux, the import script requires:

    • Installation of OpenSSL v3.x or higher.

    • Installation and activation of the virtual environment for Python: pip and venv tools. For more information, see the Python documentation.

    • Installation of the script prerequisites, whose requirements.txt file can be downloaded from your MyStormshield customer area, in the Downloads > SES Evolution > Tools section.

You must export the root certification authority (CA), then import it to the machine on which you are going to run the scripts Stormshield.

Exporting the CA

  1. Go to a machine that hosts a SES Evolution backoffice component: backend, agent handler, or administration console.

  2. In the Certificate Manager, select the SES Evolution Root CA and export it.

  3. Copy the CA to the machine where you want to import it.

Importing the CA on a Windows machine

  • Double-click the CA file and follow the instructions in the certificate import utility.

Importing the CA onto a Linux machine

  1. Install the ca-certificates tool.

  2. Convert the previously exported CA to .crt format using the following command:

    openssl x509 -inform DER -in sesrootca.cer -out sesrootca.crt

  3. Copy the file using the following commands:

    4. Ubuntu/Debian Red Hat
    cp sesrootca.crt /usr/local/share/ca-certificates cp sesrootca.crt /etc/pki/ca-trust/source/whitelist/

  4. Finalize the CA import using the following commands:

    5. Ubuntu/Debian Red Hat
    update-ca-certificates update-ca-trust

 

  1. In your MyStormshield client area, Downloads > SES Evolution > Tools section, download the insert-sigma-rules-from-folder.ps1 scripts for Windows, and insert-sigma-rules-from-folder.py scripts for Linux.

  2. Group all your Sigma rules together in the same directory, including linked filter rules.

  3. On a Windows computer, open a PowerShell window in the directory where the scripts are located and run the following command:

    .\insert-sigma-rules-from-folder.ps1 -Directory Sigma_Rules_Directory -HostName Backend_Address -ApiKey API_Key********


    On a Linux computer, run the following command:

    python3 ./insert-sigma-rules-from-folder.py -directory Sigma_Rules_Directory -hostname Backend_Address -apiKey API_Key********

SES Evolution imports the Sigma rules, converts them, and deploys them to the agents.

The import status of each rule is shown on the screen, with an error message if a rule import fails.

A new version of Sigma Advanced Protection is created, visible in the administration console. Its description displays the number of rules it contains and its update date in UTC format. For further information, see Configuring advanced protections.

Individual rules are not visible in the console. To view the list of rules, use the API request /sigma/last-import-state. For further information, see the API documentation.

CAUTION
For security reasons, after using the script under Linux, make sure that the terminal history no longer contains any authentication information. Use the history -d <line number> command to delete the lines concerned.

There are two methods for activating Sigma rules in SES Evolution.

Use the Stormshield – Sigma Protection rule set

  1. In your MyStormshield client area, Downloads > SES Evolution > Tools section, download the Stormshield – Sigma protection.cab shared rule set.

  2. Add the rule set to the desired policies. For more information, see Creating a security policy

By default, the rule set uses the latest version of Sigma Advanced Protection.

Enabling Sigma Advanced Protection in an existing rule set

For further information, see Configuring advanced protections.

Like other logs, Sigma logs are visible in the agent interface and in the Agent logs panel of the administration console. However, they have the following specificities:

  • When Sigma rules are triggered by a process or event in the Windows log, they output a Protection log.

  • The rule navigation button is hidden on these logs,

  • Information such as the rule title, author, and ID is displayed in the log details,

  • SES Evolution converts the severity levels of Sigma logs as follows:

Sigma SES
Informational Notice
Low Warning
Medium Error
High Critical
Critical Alert

For more information, see Monitoring SES Evolution agent activity.