Translation of Sigma rule to JSON

[JOAQUINPUERTO]

I have the problem that I want to translate a Sigma rule to JSON. I have read that it is done with "sigmac" but I can't find the right combination of the command to generate the sigma rule in JSON. On the contrary I have tried to convert it directly to JSON but it did not work. Could someone provide me with a practical example in sigmac or how to convert sigma rules to JSON?

[wagga40]

Hi,

sorry for the delay.

The related docs are there : https://github.com/wagga40/Zircolite/blob/master/docs/Usage.md#generate-your-own-rulesets

In short :

• I strongly recommand to use the repo version of sigma :

git clone https://github.com/SigmaHQ/sigma.git
cd sigma

• Install related dependencies (check Sigma repo) and for example, if your logs are sysmon logs, you can convert your rules to Zircolite (SQLite in fact) format with :

tools/sigmac \
	-t sqlite \
	-c tools/config/generic/sysmon.yml \
	-c tools/config/generic/powershell.yml \
	-c tools/config/zircolite.yml \
	-d rules/windows/ \
   --output-fields title,id,description,author,tags,level,falsepositives,filename,status \
   --output-format json \
   -r \
   -o rules_sysmon.json \
   --backend-option table=logs