HI,
i want to integrate many of the SIGMA Rules found here:
https://github.com/SigmaHQ/sigma
I was able to translate them into the Logpoint Query Language and Now i want to Import them as Alert Rules.
Doing each one by one manually in the GUI is a very time consuming/impossible Task.
Is there a Way to Import Alert Rules beside the .PAK Files? Or is there a Defintion how such a .PAK File looks?
Best Regards
Timo
+7
Hi Timo,
You might find that a lot of the Sigma rules are already present as vendor alerts in LogPoint - I know they were often not easy to find, but hopefully with the changes in 6.12 you can more easily spot the rules that are already there. The LogPoint queries generated by the Sigma encoder are often “suboptimal”, i.e. full text searches, not using lists etc.
PAK files are generated programmatically and signed, so unfortunately it’s not possible to create them yourself. However, one thing that might work is using the XML produced by LogPoint “Sync” - I have used it myself in limited forms to ingest configuration data into LogPoint. You can check the XML file it produces by exporting from your LogPoint, and you can then cut it down to just the section that you need and import it with any changes. I have only tried it with some user accounts, but there is no reason it couldn’t work for alerts provided the XML is valid. Perhaps worth trying out on a test VM first.
Other than that there is a feature request for programmatic creation of alert rules, it just unfortunately hasn’t made it into the product yet :(
Nils.
Hi Nils,
thanks the “Sync” Approach is working fine as it looks.
Best Regards
Already have an account? Login
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
