Skip to content

A reactJS web app that can take a ruleset and translate it into any SIEM search query, using Sigma

Notifications You must be signed in to change notification settings

kanugurajesh/Siem-Converter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

12 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

🌟 Please Star my repo if you like it

SigTrans

A reactJS web app that can take a ruleset and translate it into any SIEM search query, using Sigma

Prequisites

Local Setup

1. git
2. npm
3. python

Docker Setup

1. Docker

Folder Structure

.
β”œβ”€β”€ README.md
β”œβ”€β”€ backend
β”‚   β”œβ”€β”€ Dockerfile
β”‚   β”œβ”€β”€ README.md
β”‚   β”œβ”€β”€ __pycache__
β”‚   β”œβ”€β”€ env
β”‚   β”œβ”€β”€ main.py
β”‚   └── requirements.txt
β”œβ”€β”€ docker-compose.yml
β”œβ”€β”€ folder_structure.txt
└── frontend
    β”œβ”€β”€ Dockerfile
    β”œβ”€β”€ README.md
    β”œβ”€β”€ components.json
    β”œβ”€β”€ index.html
    β”œβ”€β”€ node_modules
    β”œβ”€β”€ package-lock.json
    β”œβ”€β”€ package.json
    β”œβ”€β”€ postcss.config.js
    β”œβ”€β”€ public
    β”œβ”€β”€ src
    β”œβ”€β”€ tailwind.config.js
    β”œβ”€β”€ tsconfig.json
    β”œβ”€β”€ tsconfig.node.json
    └── vite.config.ts

Installation

Local Setup

1. clone the repository
2. cd into the repository
3. cd into there frontend folder and follow the Installation instructions there
4. cd into the backend folder and follow the Installation instructions there
5. Go to http://localhost:5173 and start using the application

Docker Setup

1. docker-compose up
2. wait for the Installation to complete
3. Go to http://localhost:5173 and start using the application

Project Demo

Click on the below image to view the video


Watch the video

Sample Input

I have provided a sample rule.yml file in the root directory of the project. You can use that to test the application. or you can use the following ruleset.

    title: Suspicious SYSTEM User Process Creation
    id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
    status: test
    description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
    references:
        - Internal Research
        - https://tools.thehacker.recipes/mimikatz/modules
    author: Florian Roth (rule), David ANDRE (additional keywords)
    date: 2021/12/20
    modified: 2022/04/27
    logsource:
        category: process_creation
        product: windows
    detection:
        selection:
            IntegrityLevel: System
            User|contains: # covers many language settings
                - 'AUTHORI'
                - 'AUTORI'
        selection_special:
            - Image|endswith:
                - '\calc.exe'
                - '\wscript.exe'
                - '\cscript.exe'
                - '\hh.exe'
                - '\mshta.exe'
                - '\forfiles.exe'
                - '\ping.exe'
            - CommandLine|contains:
                # - 'sc stop ' # stops a system service # causes FPs
                - ' -NoP '  # Often used in malicious PowerShell commands
                - ' -W Hidden '  # Often used in malicious PowerShell commands
                - ' -decode '  # Used with certutil
                - ' /decode '  # Used with certutil
                - ' /urlcache '  # Used with certutil
                - ' -urlcache '  # Used with certutil
                - ' -e* JAB'  # PowerShell encoded commands
                - ' -e* SUVYI'  # PowerShell encoded commands
                - ' -e* SQBFAFgA'  # PowerShell encoded commands
                - ' -e* aWV4I'  # PowerShell encoded commands
                - ' -e* IAB'  # PowerShell ncoded commands
                - ' -e* PAA'  # PowerShell encoded commands
                - ' -e* aQBlAHgA'  # PowerShell encoded commands
                - 'vssadmin delete shadows'  # Ransomware
                - 'reg SAVE HKLM'  # save registry SAM - syskey extraction
                - ' -ma '  # ProcDump
                - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
                - '.downloadstring('  # PowerShell download command
                - '.downloadfile('  # PowerShell download command
                - ' /ticket:'  # Rubeus
                - 'dpapi::'     #Mimikatz
                - 'event::clear'        #Mimikatz
                - 'event::drop'     #Mimikatz
                - 'id::modify'      #Mimikatz
                - 'kerberos::'       #Mimikatz
                - 'lsadump::'      #Mimikatz
                - 'misc::'     #Mimikatz
                - 'privilege::'       #Mimikatz
                - 'rpc::'      #Mimikatz
                - 'sekurlsa::'       #Mimikatz
                - 'sid::'        #Mimikatz
                - 'token::'      #Mimikatz
                - 'vault::cred'     #Mimikatz
                - 'vault::list'     #Mimikatz
                - ' p::d '  # Mimikatz
                - ';iex('  # PowerShell IEX
                - 'MiniDump'  # Process dumping method apart from procdump
                - 'net user '
        condition: all of selection*
    falsepositives:
        - Administrative activity
        - Scripts and administrative tools used in the monitored environment
        - Monitoring activity
    level: high

Tech Stack

  • React.js
  • Fastapi
  • Shadcdn
  • Pysigma

πŸ”— Links

portfolio linkedin twitter

Authors