As organizations grow, they naturally need to analyze logs from more data sources. But as these data sources expand in number and type, it becomes more difficult for teams to scale their security detection rules to keep up with the ever-changing threat landscape. Sigma is an open source project that aims to address this challenge. By leveraging the expertise of the open source community, Sigma enables security teams to implement out-of-the-box rules that cover a wide range of threat scenarios.
We’re excited to announce that you can now integrate Sigma rules with Datadog Cloud SIEM, allowing your security teams to quickly and easily detect threats in your environment at an early stage and boost your detection landscape.
In this post you’ll learn how to:
- Leverage Sigma rules to scale security expertise
- Convert Sigma detection rules to Datadog format
- Send Sigma detection rules to Datadog Cloud SIEM
Understanding Sigma rules
The Sigma rules repository contains detection rules for popular log sources, such as AWS CloudTrail. These rules are written in a standardized format that simplifies the way rules are created, shared, and implemented across a variety of security tools.
The open source community contributes and regularly updates these rules to cover a wide range of threat scenarios, enabling security teams to continuously improve their security posture and keep up with emerging trends in the security world.
By integrating Sigma rules into Datadog Cloud SIEM, your security teams can leverage expertise from the open source security community to enhance your detection capabilities—without building detection logic from scratch.
Convert Sigma rules to Datadog format
To integrate Sigma rules with Datadog Cloud SIEM, you first need to install the Sigma CLI. Next, you will need to clone the Sigma rules repository. (Note that Datadog currently only supports AWS CloudTrail, Google Cloud, and Azure rules.) Then install the Datadog plugin using sigma plugin install datadog and enter the following command to convert a rule from Sigma format to Datadog format: sigma convert -t datadog [rule path]. For more detailed instructions, see the pySigma-backend-datadog documentation.
How to send a Sigma detection rule to Datadog Cloud SIEM
Once you have converted a Sigma rule to Datadog format, you should verify its content for accuracy before sending it to Datadog. By default, the Datadog pySigma backend maps attributes to Datadog log facets that can be used to query logs. Some rules may include field attributes that are not mapped by default, so verifying the accuracy of the field mappings within the queries is crucial for ensuring proper coverage. Unmapped fields that are not reflected in our pySigma backend’s cloud provider pipelines will be prefaced with an @ and should be updated to reflect your organization’s custom field mappings.
To check your field mappings, navigate to Logs > Configuration in the Datadog app and click the dropdown arrow next to the log source for the converted rule or query, as shown in the following screenshot. The remapper fields indicate how each field attribute is represented in Datadog’s query syntax. To learn more about standardizing log attributes, see our guide. For more information about how Datadog uses remapper processors to enrich logs, check out our documentation.
As an example, in the screenshot above, we can see that the Azure log attribute, identity.claims.ipaddr is remapped to network.client.ip, which can be queried as @network.client.ip in Datadog. Attribute remappings help you standardize log attribute names from different sources, making it easier to search and analyze your logs. You can learn more by reading our documentation.
Once a rule has been converted and the facets have been validated for accuracy, you can import it to Datadog Cloud SIEM by sending a curl request to Datadog’s security_monitoring/rules API endpoint, as shown below. Note that you will need to pass the JSON output from the sigma convert command you ran earlier.
curl --location 'https://api.datadoghq.com/api/v2/security_monitoring/rules' \
--header 'DD-APPLICATION-KEY: ${APPLICATION_KEY}' \
--header 'Content-Type: application/json' \
--header 'DD-API-KEY: ${API_KEY}' \
--data-raw '${CONVERTED_SIGMA_RULE_AS_JSON_OBJECT}'Once you’ve successfully sent the POST request, you can view the detection rule in your environment under Security > Cloud SIEM > Detection Rules. You can then modify your rule in the UI to fine-tune the coverage for your environment.
Get started
With Datadog’s PySigma backend, you can now enhance your security detection coverage and expertise by implementing Sigma rules in Datadog Cloud SIEM. If you’re already a Datadog customer, you can start exploring the new Datadog pySigma backend now. And if you’re new to Datadog, get started today with a 14-day free trial.
