The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Sigma rules can be imported and executed within the Graylog event processor. Sigma is a generic and open signature format that allows for the detection of suspicious or malicious activity. By importing sigma rules into Graylog, users can leverage these rules to detect potential threats within their environment.

Sigma rules are YAML text signatures that enable you to identify suspicious events in your environment by matching log events that might indicate adversarial behavior or cyber threats. These rules are essentially a collection of “search scripts” used to identify specific threats within your IT environment.

The sigma rule format has gained popularity within the SIEM community and is quickly becoming a common interchange for rules.

Graylog's sigma rule processor allows users to connect to the SigmaHQ GitHub repository and make use of the 2100+ supported rules ranging from simple and specific to more complex and generic rules. This offering makes it possible for users to detect and alert on suspicious or unusual activity in their Graylog setup by matching Graylog messages against a variety of sigma rules.

With Graylog and sigma rules, you can:

  • Import rules directly from the SigmaHQ repository which is publicly accessible on GitHub.

  • Import rules from any public Git repo.

  • Manually add your own rules via a YAML text editor.

  • Clone an existing rule.

  • Associate a rule with 1 to N streams in Graylog.

  • Define how often and over what time window the rule should run.

How It Works

Sigma rules can be added manually or imported from the SigmaHQ GitHub repo or a public Git repo.

They can generate resource-intensive queries that could potentially stress or crash the search backend. Some rules use wildcard queries, which are not moderated or flagged as they are elsewhere in Graylog. In order to test the performance of individual rules, we recommend you use the Search Logs option before activating the sigma rule.

Import Sigma Rules from SigmaHQ's Repo

1. From your Graylog interface, navigate to the Security tab and select Sigma Rules from the left-pane menu.

2. On the resulting page click on the Add Rule button and select Import From Git.

3. Select the sigma rule(s) you want to use from the SigmaHQ repository. Then, confirm your selections, and the selected rules will be imported into Graylog.

4. Every Sigma rule is automatically associated with an event definition when created; however, users can edit event definitions by clicking on the ellipsis against the rule to be modified and selecting the Edit Event Definition option. Users can add fields and notifications and change the title, description, and priority.

Warning: Do not change the condition type of an event definition. This will break the connection between the sigma rule and the event definition, and it will no longer operate correctly. Changing it to either Filter & Aggregation or Correlation will create a completely different event definition.

Each sigma rule imported into Graylog can also directly execute as a search, which can help both when writing new rules as well as understanding existing ones.

From the Sigma Rules page, users can then enable the imported sigma rules by toggling the Enable button. Users can also use the Bulk Actions feature to enable, disable, or delete all imported sigma rules.

HintWhen a sigma rule is imported from Git, it is by default set to run every 5 minutes. Users can change this default setting by simply clicking on the ellipsis against the sigma rule, selecting Edit from the menu options, and changing the default run time.

Import Sigma Rules from Public Git Repo

Graylog 5.1 introduces the ability to allow users import sigma rules from any public Git repository in addition to SigmaHQ. All added repositories will be available and visible under the Import Rule menu with the rules they contain for users to select for import. To import sigma rules from repositories other than that of SigmaHQ, follow the steps below:

1. Navigate to the Sigma Config tab from the main Sigma Rules page and here, users have the option to either add the SigmaHQ repository, which will make the rules available without any additional configuration, or add a different repository after first configuring some options.

2. If theAdd SigmaHQ option is selected, the available rules will be automatically pulled, and SigmaHQ will be added to the list of available repositories.

3. If users select the Add Repository option, a configuration modal will appear, prompting users to fill out the data fields listed below:

Hint: Only .yml files are accepted.

  • Name: The name of the repository as it will appear in Graylog. This can be any name, but it must be unique within Graylog.

  • Branch: A specific branch in the repository can be specified. If left blank, the Git repository will default to its default branch.

  • Git Repo URI: The URI of the repository e.g. https://github.com/MyGitRepo/myrepo.git.

  • Directories with rules: Allows users to only pull rules from specific directories within the repository. If left blank the entire repository will be scanned for rules.

4. When users confirm their configuration parameters, Graylog will scan and validate any .yml or .yaml files found in the repository, and correctly formatted and supported rules will be made available for import. Any file that is not .yml will be skipped. All .yml rule files found will be validated (i.e. correctly formatted according to the sigma specification) so that the rule is supported in Graylog. Users will see warnings about any rules that do not pass validation, and they will be skipped.

5. Once repositories are added they will appear in the list of current repositories.

During the Add Repository operation, Graylog pulls Git data to the disk of the system running the Graylog server to populate the list of available rules. Once the operation completes, the files are removed. By default, the files will be temporarily saved to a temp directory; however, users with unique system requirements or permissions have the option to specify where these files will be saved. This can be done by adding the sigma_git_repository_dir entry in their server configuration file. e.g. sigma_git_repository_dir=/etc/graylog/sigma_data.

Managing Imported Repos

From the list of imported repositories, on the Sigma Repos page, you can perform the following actions. These actions can be done on a single repository by clicking on the ellipses to the right of a selected repo.

  • Edit: Update the branch or directories from which to source rules.

  • Import All: Imports all valid rules in a repository into Graylog. A sigma rule configuration menu will appear with the standard rule options that will apply to all rules imported in this action.

  • Refresh: Refreshes the list of available rules, if for instance, rules have been added or changed in the Git repository.

  • Delete: Deletes the repository metadata from Graylog. The rules will no longer be available to import, but any rules that were added will remain.

Delete can also be done in bulk by selecting one or more repository check boxes and clicking Bulk Actions:

All added repositories will now be available in the Current Repos page.

Clicking a repository (and any sub directories) will show all valid rules in the repository to be selected for import.

Manually Add Sigma Rules

  1. From your Graylog user interface, navigate to the Security tab and select Sigma Rules from the left pane menu.

  2. On the resulting page, select Manual Add. This brings up a YAML editor where you can either directly make your rule(s) or copy from the sigma Git repository and paste it into the editor.

  3. The YAML editor will notify you if required fields are missing (e.g. title) or if a field should be of a certain type (e.g. string) before you attempt to save and exit. If a user attempts to use an unsupported search modifier or inputs an aggregation in the conditions field, they will receive a notification that those inputs are not supported.

The Supported Sigma Rule Modifiers and Operators table in the next section provides users with currently supported features, rule specifications for Graylog, fields required by us that might not be required by the sigma specifications, and conditions and modifiers we do or do not support. This will help guide you when creating or importing rules. 

When you create sigma rules, an event definition will also be created. This is because events need streams (optional streams) and search windows (to know over what time window and how frequently to search) in order to function properly. These options are configurable on the user interface and can also be specified in the YAML editor.

Supported Sigma Rule Modifiers and Operators

Graylog Illuminate ships with a lookup table that will translate some of the most common fields found in sigma rules within the SigmaHQ repository into GIM fields. This will allow many rules to work seamlessly within Graylog Illuminate processing. If those translations need to be overridden or added to, the lookup table can be customized. Refer to the Lookup Table Customization documentation for more information. Fields in the sigma rule will be translated using this lookup table each time a sigma rule search is executed. If no value exists in the lookup table, the field provided in the sigma rule itself will be used.

Component Sigma Spec Requirement
Title

required
Id

optional
Related

optional
Status

optional
Description

optional
Author

optional
References

optional
Log Source

required
Category

optional
Product

optional
Service

optional
Definition

optional
Detection

required
Search-Identifier

optional
{string-list}

optional
{field: value}

optional
Timeframe

optional
Condition

required
Fields

optional
False Positives

optional
Level

optional
Tags

optional
[arbitrary custom fields]

optional

 

Special Field Values Current Support

'' (Empty Value)

Not Supported

null

Not Supported
Value Modifiers

contains

Supported

all

Supported

base64

Not Supported

base64offset

Not Supported

endswith

Supported

startswith

Supported

utf16le

Not Supported

utf16be

Not Supported

wide

Not Supported

utf16

Not Supported

windash

Not Supported

re

Supported

 

Expressions Current Support

Logical AND/OR

Supported

1/all of search-identifier

Supported

1/all of them

Not Supported

1/all of search-identifier-pattern

Supported

Negation with 'not'

Supported

Brackets (parenthesis)

Supported

Wildcards (e.g. selection*)

Supported

Pipe (deprecated) |

Not Supported

Aggregation expression (deprecated)

Not Supported

Near aggregation expression (deprecated)

Not Supported

Create a Sigma Rule with Regex

Sigma rules with regular expressions (Regex) can be imported or created and used the same way as any other rule.

Hint: Sigma rules written with Regex must follow the Elasticsearch regular expression dialect.

Creating a rule by adding the sigma re modifier to a selection field name will trigger Graylog to interpret and craft the internal query with Regex. For example: 

Copy 
detection:
    selection:
        WorkstationName|re: '^[A-Za-z0-9]{16}$'
    condition: selection

This would result in the internal query: WorkstationName: /[A-Za-z0-9]{16}/

A large number of the rules published by SigmaHQ contain regular expressions that are not technically supported. We have added two cases where Graylog will translate the rules into Elasticsearch Regex dialect:

  1. Digits - \d will be converted to [0-9].

  2. Anchors - ^$ e.g. ^<regex>$ - Elasticsearch syntax does not support anchor characters, but queries are anchored by default. Graylog will remove the unsupported anchor characters and add wildcards to achieve the same result.

    1. ^<regex>$ will be converted to <regex>

    2. ^<regex> will be converted to <regex>.*

    3. <regex>$ will be converted to .*<regex>

    For more info on anchoring, click here

Warning: Rules may be created without validating their correct Regex syntax. In this situation, the rules will succeed in being created but may not achieve the desired results.

Regex Use Case Scenario

Here are some examples of how regex can be used in sigma rules:

  • A piece of malware is known to generate a .tmp file with a random eight character filename in the \Windows\System32 directory. We want to detect file creation for any .tmp files created in the \Windows\System32 directory that are exactly eight characters long.

Copy 
detection:
    selection:
        Image|endswith: '\svchost.exe'
        TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
    condition: selection

  • An indicator of PowerShell abuse is very long commands. We want to detect any PowerShell commands that are 1000 characters or longer.

Copy 
detection:
    selection_powershell:
        - CommandLine|contains:
            - 'powershell'
            - 'pwsh'
    selection_length:
        CommandLine|re: '.{1000,}'
    condition: all of selection*

Assigning Notifications to Sigma Rules

You can assign notifications for sigma rules within the sigma rules workflow. When you edit a sigma rule, a Notifications field with a drop-down menu option appears. If you have existing notifications configured, then they will appear in the Notifications field and when creating or editing a sigma rule.

Bulk Notifications

When importing one or more rules, you have the ability to apply notifications to all rules at once by selecting from the drop-down and selecting Use these settings on all rules. Additionally, individual notifications can be selected for each specific rule.

For existing rules, one or more can be selected, and then users can click Bulk Actions < Add Notification .

Here, users can select which notifications to add.

Hint: Note that the bulk add notification feature for sigma rules is strictly additive, i.e. any new notifications will be added to existing notifications, and any already existing notifications for the rules will remain.