This is the QRadar AQL backend for pySigma which parses and converts Sigma Rules into QRadar queries in AQL. It consists of a backend and two pipelines as describes below. The project is using pySigma_QRadar_base submodule.
- QRadarAQL: It provides the package
sigma.backends.QRadarAQLwith theQRadarAQLBackendclass.
Further, it contains the following processing pipelines in sigma.pipelines.QRadarAQL:
- QRadarAQL_fields_pipeline: Supports only the
Sigma fieldsin the Field Mapping. - QRadarAQL_payload_pipeline: Uses
UTF8(payload)instead of fields unsupported by the Field Mapping. For unsupported fields, the following value types are not supported–- Boolean
- Null
- CIDR
- Regular Expression
- Numeric Comparison
pip install ibm-qradar-aql
- install sigma-cli
- install with Sigma plugins:
sigma plugin install ibm-qradar-aql
from sigma.plugins import SigmaPluginDirectory
plugins = SigmaPluginDirectory.default_plugin_directory()
plugins.get_plugin_by_id("ibm-qradar-aql").install()Convert Sigma rules to AQL by using ibm-qradar-aql as backend, and one of qradar-aql-fields and qradar-aql-payload as pipeline:
sigma convert -t ibm-qradar-aql -p <qradar-aql-fields | qradar-aql-payload> <rule path> -o <output file name>
PLEASE NOTE: you should have Sigma rules in your project to use the
following
command
sigma convert -t ibm-qradar-aql -p qradar-aql-payload rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml -o output_file.txt
['SELECT * FROM events WHERE devicetype=12 AND LOWER("Target Process Path") LIKE \'%\\keepass.exe\'']
from sigma.collection import SigmaCollection
from sigma.backends.QRadarAQL import QRadarAQLBackend
from sigma.pipelines.QRadarAQL import QRadarAQL_fields_pipeline, QRadarAQL_payload_pipeline
pipeline = QRadarAQL_fields_pipeline # or QRadarAQL_payload_pipeline
rule = SigmaCollection.from_yaml("""
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\KeePass.exe'
condition: selection
""")
print(QRadarAQLBackend(pipeline()).convert(rule)[0])SELECT * FROM events WHERE devicetype=12 AND LOWER("Target Process Path") LIKE '%\keepass.exe'
This project is using
pySigma_QRadar_base submodule.
After cloning the project, make sure to update the submodule from the sigma directory
by running:
git submodule update --init --recursive
- Properties Dictionary (required)
- Windows Custom Properties (recommended)
- Linux Custom Properties (recommended)
other properties you may find in the App Exchange
| Sigma field | QRadar AQL field |
|---|---|
| AccessList | Rule Name |
| AccessMask | Access Mask |
| Accesses | Accesses |
| AppID | Application |
| AppId | Application |
| AppName | Application |
| AttributeLDAPDisplayName | Username, Account Name, Distinguished Name |
| AttributeValue | Attribute Old Value, Attribute New Value |
| c-useragent | User Agent |
| cs-user-agent | User Agent |
| cs-username | Username |
| CallTrace | Call Trace |
| CallerProcessName | Process Path |
| cipher | Ticket Encryption Type |
| CommandLine | Command |
| cs-method | Method |
| DestinationHostname | Destination Hostname |
| ErrorCode | Error Code |
| ExceptionCode | Error Code |
| EventID | Event ID |
| eventSource | devicetype |
| FailureCode | Error Code |
| FileName | Filename |
| Filename | Filename |
| GrantedAccess | Granted Access |
| Hashes | CONCAT(MD5=, MD5 Hash , SHA1=, SHA1 Hash , SHA256=, SHA256 Hash , IMPHASH=, IMP HASH) |
| HostApplication | Process Path |
| HostName | Hostname |
| Initiated | Initiated |
| Image | Process Path, Process Name |
| ImageName | Process Name |
| ImagePath | Process Path |
| Imphash | IMP Hash |
| IntegrityLevel | Integrity Level |
| InterfaceUuid | Source Interface UUID |
| LogonType | Logon Type |
| Message | Message |
| Name | File Path |
| ObjectName | Object Name |
| ObjectType | Object Type |
| OriginalFileName | Filename |
| ParentCommandLine | Parent Command |
| ParentImage | Parent Process Path |
| ParentProcessId | Parent Process ID |
| Path | File Path |
| path | File Path |
| Payload | UTF8(payload) |
| payload | UTF8(payload) |
| PipeName | Pipe Name |
| ProcessId | Process ID |
| ProcessName | Process Name |
| ProcessPath | Process Path |
| SamAccountName | SAM Account Name |
| Service | Service Name |
| ServiceFileName | Service Filename |
| ServiceName | Service Name |
| ShareName | Share Name |
| Signed | Signed |
| Status | Status |
| StartAddress | Start Address |
| TargetFilename | Filename |
| TargetImage | Target Process Path |
| TargetObject | Process Name, Target Process Name, Object Name |
| TargetUserName | Target Username |
| TaskName | Task Name |
| TicketEncryptionType | Ticket Encryption Type |
| UserName | Username |
| Username | Username |
| md5 | MD5 Hash |
| method | Method |
| NewTargetUserName | Target Username |
| sha1 | SHA1 Hash |
| sha256 | SHA256 Hash |
| SourceFilename | filename |
| SourceImage | Source Process Path |
| USER | Username |
| User | Username |
| userAgent | User Agent |
| user_agent | User Agent |
| eventName | QIDNAME(qid) |
| ImageLoaded | CONCAT(file directory, /, filename) |
| DestinationIp | destinationip |
| DestPort | destinationport |
| DestinationPort | destinationport |
| destination.port | destinationport |
| dst_ip | destinationip |
| dst_port | destinationport |
| SourcePort | sourceport |
| src_ip | sourceip |
| c-uri | URL |
| c-uri-extension | URL |
| c-uri-query | URL |
| cs-uri | URL |
| cs-uri-query | URL |
| cs-uri-stem | URL |
| properties.message | Message |
| ScriptBlockText | Message |
| uri | URL |
| a0 | Command |
| a1 | Command |
| a2 | Command |
| a3 | Command |
| a4 | Command |
| a5 | Command |
| Sigma service | QRadar AQL device type name | QRadar AQL device type id |
|---|---|---|
| aaa | BridgewaterAAA | 143 |
| apache | Apache | 10 |
| auditd | LinuxServer | 11 |
| auth | WindowsAuthServer | 12 |
| clamav | LinuxServer | 11 |
| cloudtrail | AmazonAWSCloudTrail | 347 |
| cron | LinuxServer | 11 |
| exchange | MicrosoftExchange | 99 |
| gcp.audit | GoogleCloudAudit | 449 |
| iis | IIS | 13 |
| ldp | NetScreenIDP | 17 |
| lsa-server | ISA | 191 |
| microsoft365portal | Office365, Office365MessageTrace, Microsoft365Defender | 397, 452, 515 |
| okta | OktaIdentityManagement | 382 |
| powershell | WindowsAuthServer | 12 |
| rdp | LinuxServer, WindowsAuthServer | 11, 12 |
| smbclient-security | LinuxServer, WindowsAuthServer | 11, 12 |
| sshd | LinuxServer | 11 |
| sudo | LinuxServer | 11 |
| syslog | LinuxServer, WindowsAuthServer | 11, 12 |
| sysmon | WindowsAuthServer | 12 |
| taskscheduler | LinuxServer, WindowsAuthServer | 11, 12 |
| threat_detection | SAPEnterpriseThreatDetection | 424 |
| windefend | MicrosoftWindowsDefenderATP | 433 |
| wmi | WindowsAuthServer | 12 |
| Sigma product | QRadar AQL device type name | QRadar AQL device type id |
|---|---|---|
| aws | AmazonAWSCloudTrail, AWSSecurityHub, AmazonAWSNetworkFirewall, AmazonAWSALBAccessLogs, AmazonAWSWAF, AmazonAWSKubernetes, AmazonAWSRoute53, AmazonCloudFront, AWSVerifiedAccess | 347, 440, 456, 460, 501, 502, 507, 516, 519 |
| MicrosoftAzure | MicrosoftAzure | 413 |
| cisco | Pix, IOS, VpnConcentrator, CSA, IDS, FWSM, ASA, CatOS, ACS, Cisco, NAC, Series12000, Series6500, Series7600, SeriesCRS, SeriesISR, IronPort, Aironet, Wism, ACE, CiscoWirelessNCS, Nexus, CiscoWLC, CiscoCallManager, CiscoISE, CiscoCWS, CiscoStealthwatch, CiscoUmbrella, CiscoMeraki, CiscoAMP, CiscoFirepowerThreatDefense, CiscoDuo | 6, 20, 23, 26, 30, 31, 41, 56, 90, 94, 95, 113, 114, 115, 116, 117, 179, 182, 183, 194, 248, 250, 273, 274, 316, 419, 429, 431, 435, 437, 448, 508 |
| gcp | GoogleGSuite, GoogleCloudAudit, GoogleCloudPlatformFirewall, GoogleCloudDNS | 442, 449, 455, 461 |
| huawei | SSeriesSwitch, ARSeriesRouter | 269, 283 |
| juniper | NetScreenFirewall, NetScreenIDP, JuniperSA, NetScreenNSM, InfranetController, JuniperRouter, JuniperSBR, JuniperDX, JuniperMSeries, JuniperMXSeries, JuniperTSeries, JuniperEXSeries, JuniperSRX, Avt, SRC, JuniperAltorVGW, SecurityBinaryLogCollector, JuniperMykonosWebSecurity, JuniperWirelessLAN, JuniperDDoSSecure | 5, 17, 36, 45, 59, 64, 83, 111, 118, 122, 123, 139, 150, 168, 192, 235, 264, 290, 320, 344 |
| linux | LinuxServer | 11 |
| m365 | Office365 | 397 |
| macos | AppleOSX | 102 |
| okta | OktaIdentityManagement | 382 |
| sql | MicrosoftSQL | 101 |
| windows | WindowsAuthServer | 12 |
Pull requests are welcome. After updating the Mapping, please run generate_readme.py for updating the mapping tables in the README file.
field_mapping: mapping for fields with exact mach from Sigma to AQLhost_field_mapping: mapping for host fields- values with wildcards converts to CIDRunstructured_field_mapping: mapping for fields that their value is a substring of another field's value- equal sign ('=') will be replaced with 'LIKE' operatorunstructured_part_field_mapping: mapping for fields that are part of another field- equal sign ('=') will be replaced with 'LIKE' operator, and the value transforms to the form '{field}%{value}'
- aql_log_source_mapping: AQL mapping from device type name to device type id – PLEASE DO NOT CHANGE THIS MAPPING
- aql_service_mapping: mapping from Sigma services to AQL device type id
- aql_product_mapping: mapping from Sigma products to AQL device type id
pySigma-backend-QRadar-AQL is licensed under the MIT License.