SIEM Backends
CloudSigma converts Sigma rules to native query formats for 6 SIEM platforms using pySigma backends.
Supported Backends
Splunk
| Property | Value |
|---|---|
| Backend ID | splunk |
| Output format | SPL (Search Processing Language) |
| pySigma backend | pySigma-backend-splunk |
Example output:
index=cloudtrail eventName="CreateAccessKey" | table _time eventName sourceIPAddress userIdentity.arnMicrosoft Sentinel
| Property | Value |
|---|---|
| Backend ID | sentinel |
| Output format | KQL (Kusto Query Language) |
| pySigma backend | pySigma-backend-microsoft365defender |
Example output:
CloudTrailLogs
| where EventName == "CreateAccessKey"
| project TimeGenerated, EventName, SourceIpAddress, UserIdentityArnElasticsearch
| Property | Value |
|---|---|
| Backend ID | elasticsearch |
| Output format | Lucene query syntax |
| pySigma backend | pySigma-backend-elasticsearch |
Example output:
eventName:"CreateAccessKey"Google Chronicle
| Property | Value |
|---|---|
| Backend ID | chronicle |
| Output format | UDM Search queries |
| pySigma backend | pySigma-backend-chronicle |
Example output:
metadata.event_type = "USER_RESOURCE_ACCESS" AND target.resource.name = "CreateAccessKey"OpenSearch
| Property | Value |
|---|---|
| Backend ID | opensearch |
| Output format | Lucene / DQL query syntax |
| pySigma backend | pySigma-backend-opensearch |
Example output:
eventName:"CreateAccessKey"Google SecOps
| Property | Value |
|---|---|
| Backend ID | google_secops |
| Output format | YARA-L rules |
| pySigma backend | pySigma-backend-google-secops |
Example output:
rule aws_iam_access_key_creation {
meta:
author = "CloudSigma"
events:
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
$e.target.resource.name = "CreateAccessKey"
condition:
$e
}Specifying Backends
Pass backend IDs in the targetSiems option when calling POST /v1/generate:
curl -X POST https://cloudsigma.a13e.com/v1/generate \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"inputType": "url",
"url": "https://example.com/advisory",
"options": {
"targetSiems": ["splunk", "sentinel", "chronicle"]
}
}'Omit targetSiems to convert to all 6 backends.
Conversion in Response
Converted queries appear in each rule’s conversions object:
{
"rules": [
{
"yaml": "title: AWS IAM Access Key Creation...",
"title": "AWS IAM Access Key Creation",
"conversions": {
"splunk": "index=cloudtrail eventName=\"CreateAccessKey\"",
"sentinel": "CloudTrailLogs | where EventName == \"CreateAccessKey\""
}
}
]
}Only the requested backends appear in conversions.
Backend Compatibility
Not all Sigma features are supported equally across backends. pySigma handles translation differences automatically, but some complex detection logic may produce simpler queries in certain backends.
| Feature | Splunk | Sentinel | Elasticsearch | Chronicle | OpenSearch | Google SecOps |
|---|---|---|---|---|---|---|
| Wildcard matching | Yes | Yes | Yes | Yes | Yes | Yes |
| Regex matching | Yes | Yes | Yes | Yes | Yes | Yes |
| Near/proximity | Yes | No | No | No | No | No |
| Aggregation | Yes | Yes | Partial | Partial | Partial | Yes |
Last updated on