Execute Sigma rules
Tenzir supports executing Sigma rules using
the sigma
operator. This allows
you to run your Sigma rules in dataflow pipeline. The operator transpiles the
the provided rules into an expression, and
wraps matching events into a sighting record along with the matched rule.
Semantically, you can think of executing Sigma rules as applying the
where
operator to the input,
followed by put
to encapsulate the
input into a new record. At a high level, the translation process looks as
follows:
Unlike the legacy sigmac
compiler that tailors a rule to specific backend,
like Elastic or Splunk, the sigma
operator only transpiles the structural YAML
rules to produce an expression that is then used to filter a dataflow. In the
future, we would like to write a native Tenzir backend for
pySigma. Please reach out on our
Discord if you would like to help us with that!
Run a Sigma rule on an EVTX file
You can run a Sigma rule on any pipeline input. For example, to apply a Sigma
rule to an EVTX file, we can use the utility
evtx_dump
to convert the binary EVTX
format into JSON and then pipe it to sigma
on the command line: