pySigma Datadog backend
Project description
pySigma Datadog Backend
Overview
This repository contains the Datadog backend package (sigma.backends.datadog
) for pySigma. This package contains the DatadogBackend class, which can be used to convert Sigma rules to Datadog rules and queries that will work with Datadog’s Log Management and Datadog's Cloud SIEM products.
Further, this repository also adds the datadog_pipeline
as part of the sigma.pipelines.datadog package. This defines Datadog’s default log processing pipeline for Sigma rule conversion, which performs field mappings and contains error-handling logic.
Output Format
Disclaimer: Users should always verify the output of the conversion tool to ensure rule and query accuracy before using in their environment.
The Datadog pySigma backend supports the following output format options:
-
default
: queries outputted using the Datadog Query Syntax to reflect a detection.- Note: Queries using the default output will only reflect the detection of the rule. Users may want to add the a log source to speed up the query slightly.
-
siem_rule
: Rule that are converted from the Sigma format to a Datadog format
The siem-rule
output format will convert a rule in Sigma format to the Datadog Detection Rule format which will have a default type: log_detection
, which indicates that the rule is a security rule with a threshold detection method indicated by detectionMethod: threshold
in the rule output.
Either output option can be used for log search, custom alerts, dashboards, and reporting.
Supported Rule Types:
Currently, the Datadog pySigma backend supports logs from the following sources which are cloud rules currently supported in the Sigma Rules Repository. Log sources were chosen based on support for existing Sigma Rules which can be specified in the logsource.service
field of a Sigma Rule. Please see this ReadMe.md from SigmaHQ for example rules.
Installation
- Clone
pysigma-datadog-backend
repository - Clone the Sigma Rules Repository
- Create and activate a Python virtual environment using the following commands:
python3 -m venv .venv
. .venv/bin/activate
- Run
pip install sigma-cli
and follow instructions in the sigma-cli repository - Install the datadog backend
sigma plugin install datadog
- Using the
sigma-cli
, run the following command to convert a Sigma rule to a Datadog Cloud SIEM rulesigma convert -t datadog ../../andrea.piazza/sigma/sigma/rules/cloud/aws -f siem_rule
- Run this command to convert a Sigma rule into a Datadog Query
sigma convert -t datadog ../../{your.user}/sigma/sigma/rules/cloud/aws
- Use a text editor to view the /scripts/local_pysigma_dd_conversion.py script within the
pysigma-datadog-backend
repo. Modify thesigma_rules_to_convert
list to indicate the rules that should be converted using the path in your file system to the Sigma Rules Repository cloned in Step 1.
As an example:
To convert AWS Cloudtrail Disable Logging Sigma Rule, Azure Blocked Account Attempt Sigma Rule, and GCP Bucket Enumeration Sigma Rule to Datadog Rules locally, modify the sigma_rules_to_convert
List using this script with the path from the Sigma Rules Repository cloned in step 2.
sigma_rules_to_convert = [
r"/Users/user.name/sigma/sigma/rules/cloud/aws/aws_cloudtrail_disable_logging.yml",
r"/Users/user.name/sigma/sigma/rules/cloud/azure/azure_blocked_account_attempt.yml",
r"/Users/user.name/sigma/sigma/rules/cloud/gcp/gcp_bucket_enumeration.yml"
]
- Run the script with the command
python3 scripts/local_pysigma_dd_conversion.py
which will output either a Datadog query using thedefault
output, or a Datadog Cloud SIEM detection rule using thesiem_rule
output.
Importing Sigma Rules to Datadog:
The pipeline for the Datadog pySigma Backend converts fields from Sigma Rules into predefined log facets. The current field mappings can be found in each Processing Item for the corresponding log source in the Datadog pySigma Pipeline.
If a field is not listed in the pipeline, the field will automatically be prefixed with an @
sign and the detection engineer should update the field mappings in the query match what’s in their environment. This is also true for queries generated using the default output.
To check field mappings in the Datadog UI:
- Hover over “Logs” and click “Configuration”.
- Search for logsource that you're looking for field mappings
- Click the expand the arrow next to value in the “Pipeline Name” column
The “Remapper” rows define how fields from each log source gets mapped to Datadog facets.
To create a new Detection Rule from a converted Sigma rule, make a POST
request to /api/v2/security_monitoring/rules
via the Datadog API.
Maintainers
- Datadog Cloud SIEM | Email: team-cloudsiembackend@datadoghq.com
Limitations
-
The Datadog Query Syntax does not currently support Sigma Rules that use RegEx modifers
- The following field on a Sigma Rule containing a modifier would throw an error using the Datadog Backend Conversion tool:
selection: field|re: "reg.*ex"
-
We currently do not support importing Sigma rules using the Datadog UI.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file pysigma_backend_datadog-0.1.2.tar.gz
.
File metadata
- Download URL: pysigma_backend_datadog-0.1.2.tar.gz
- Upload date:
- Size: 14.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | ec3f618c7ae1305b63edb9c53441b5957e0bfafcdf394e582ae8fd069379dd17 |
|
MD5 | 11788d3b5933db3be87e71dcd3e8e878 |
|
BLAKE2b-256 | f39bac91b8c6414424c635cdac6fb067c2e77117607c2e0688bbdb04fc4e64c3 |
File details
Details for the file pysigma_backend_datadog-0.1.2-py3-none-any.whl
.
File metadata
- Download URL: pysigma_backend_datadog-0.1.2-py3-none-any.whl
- Upload date:
- Size: 14.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | a5634711319456f5b446c41914720e06b5ee92838556104bf21497847da0b3cc |
|
MD5 | b7783d6cb96529edfe97c58f13c2eebd |
|
BLAKE2b-256 | e61b9fd643100eb1a0ce2d3acf6551d6b6c981cedb3a4f421b452ef1e55a754f |