What You'll Learn
- Use the
sigma convertcommand to transform Sigma YAML rules into Wazuh/OpenSearch queries - Explain the role of backends and pipelines in the Sigma conversion process
- Identify and troubleshoot common conversion failures: unmapped fields, unsupported features, and logsource mismatches
- Deploy a converted Sigma rule to Wazuh as a custom alert and verify it fires on matching events
- Compare Sigma conversion output across different SIEM backends to understand format differences
- Apply conversion techniques in Lab 8.3 and Lab 8.4 to convert, deploy, and test real detections
The Conversion Problem
You have a Sigma rule in YAML. Your SIEM speaks a different language — Wazuh uses OpenSearch queries, Splunk uses SPL, Elastic uses KQL or Lucene, and Microsoft Sentinel uses KQL. The rule you wrote in Lesson 8.3 cannot be pasted into any of these SIEMs directly. It must be converted.
This is where sigma-cli comes in — the official command-line tool that transforms Sigma YAML into SIEM-specific queries. In your lab environment, sigma-cli is pre-installed with all the backends you need.
How Sigma Conversion Works
The conversion process has three components:
| Component | What It Does | Example |
|---|---|---|
| Rule | Your Sigma YAML file | suspicious_powershell.yml |
| Backend | The target SIEM format | opensearch, splunk, elasticsearch |
| Pipeline | Field name mappings from Sigma's abstract names to the target SIEM's concrete field names | windows pipeline maps Image → process.executable |
The basic command:
sigma convert -t opensearch -p windows rule.yml
| Flag | Purpose |
|---|---|
-t opensearch | Target backend (the SIEM format to output) |
-p windows | Processing pipeline (field name mappings) |
rule.yml | Input Sigma rule file |
Converting the PowerShell Detection Rule
Let's convert the suspicious PowerShell encoded command rule from Lesson 8.3. Here is the Sigma rule:
title: Suspicious PowerShell Encoded Command
logsource:
category: process_creation
product: windows
detection:
selection_process:
Image|endswith: '\\powershell.exe'
selection_args:
CommandLine|contains:
- '-EncodedCommand'
- '-enc'
condition: selection_process and selection_args
level: high
Converting to OpenSearch (Wazuh)
sigma convert -t opensearch -p windows suspicious_powershell.yml
Output:
(process.executable.text:*\\powershell.exe) AND
(process.command_line.text:*\-EncodedCommand* OR
process.command_line.text:*\-enc*)
Notice what happened:
| Sigma Field | OpenSearch Field | Mapping Source |
|---|---|---|
Image | process.executable.text | Windows pipeline |
CommandLine | process.command_line.text | Windows pipeline |
| ` | endswith` | Wildcard prefix: *\\powershell.exe |
| ` | contains` | Wildcards: *-EncodedCommand* |
Converting to Splunk
sigma convert -t splunk -p sysmon suspicious_powershell.yml
Output:
source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
Image="*\\powershell.exe"
(CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*")
Converting to Elastic
sigma convert -t elasticsearch -p ecs_windows suspicious_powershell.yml
Output:
{
"bool": {
"must": [
{ "wildcard": { "process.executable": "*\\\\powershell.exe" } },
{ "bool": {
"should": [
{ "wildcard": { "process.command_line": "*-EncodedCommand*" } },
{ "wildcard": { "process.command_line": "*-enc*" } }
]
}
}
]
}
}
Same rule, three different outputs. This is Sigma's core value: you maintain one YAML file, and conversion handles the syntax differences across SIEMs. If your organization migrates from Splunk to Elastic, you convert all your rules instead of rewriting them.
Available Backends and Pipelines
Common Backends
| Backend | Command | Target SIEM |
|---|---|---|
opensearch | sigma convert -t opensearch | Wazuh, OpenSearch, AWS OpenSearch |
splunk | sigma convert -t splunk | Splunk Enterprise, Splunk Cloud |
elasticsearch | sigma convert -t elasticsearch | Elastic SIEM, Kibana |
microsoft365defender | sigma convert -t microsoft365defender | Microsoft Defender, Sentinel |
qradar | sigma convert -t qradar | IBM QRadar |
Common Pipelines
| Pipeline | What It Maps | Use With |
|---|---|---|
windows | Windows event log fields to ECS-compatible names | OpenSearch, Elasticsearch |
sysmon | Sysmon event fields | Splunk, Elasticsearch |
ecs_windows | Windows fields to Elastic Common Schema | Elasticsearch |
List all available backends:
sigma list targets
List pipelines for a specific backend:
sigma list pipelines -t opensearch
Deploying to Wazuh
Converting a rule gives you a query. Deploying it to Wazuh means creating a custom alert that uses that query. Here is the end-to-end process:
Step 1: Convert the Rule
sigma convert -t opensearch -p windows suspicious_powershell.yml
Step 2: Create a Wazuh Alert Monitor
In the Wazuh dashboard (OpenSearch Dashboards):
- Navigate to Alerting → Monitors → Create Monitor
- Set the monitor name (e.g., "Sigma — Suspicious PowerShell Encoded Command")
- Choose Extraction query as the monitor type
- Paste the converted OpenSearch query
- Set the schedule (e.g., every 1 minute)
- Configure the trigger: if results > 0, fire the alert
- Set the action: log the alert, send notification, or both
Step 3: Test the Detection
Generate a matching event and verify the alert fires. In Lab 8.3, you will trigger a simulated PowerShell encoded command event in the Wazuh environment and confirm your converted rule catches it.
Wazuh also has native XML rule format. For some detections, writing a Wazuh XML rule directly may be simpler than converting from Sigma — especially for rules that use Wazuh-specific features like decoder matching, frequency thresholds, or CDB lookups. Sigma conversion works best for standard log queries. Know when to use each approach.
Troubleshooting Conversion Failures
Not every Sigma rule converts cleanly. Here are the most common issues and how to fix them:
Unmapped Fields
sigma convert -t opensearch -p windows rule.yml
Error: Field 'TargetObject' is not mapped in the pipeline
Cause: The pipeline does not have a mapping for the Sigma field name to the target SIEM field name.
Fix: Check the pipeline documentation. You may need a different pipeline (sysmon instead of windows) or add a custom field mapping:
sigma convert -t opensearch -p windows -p custom_mappings.yml rule.yml
Unsupported Logsource
Error: No backend mapping for logsource category 'dns_query' product 'windows'
Cause: The selected backend does not know how to map this logsource combination to a concrete log index.
Fix: Check if the logsource requires a specific pipeline or if the backend supports it at all. Some logsource categories are backend-specific.
Aggregation Not Supported
condition: selection | count(IpAddress) > 5
Cause: Not all backends support Sigma's aggregation syntax (count, sum, min, max, avg).
Fix: Convert the base detection without aggregation. Configure the threshold in the SIEM's alerting system after deployment (Step 2 above).
Near-Time Correlation
condition: selection | near selection2
Cause: Sigma's near operator (temporal proximity) has limited backend support.
Fix: Convert the individual selections separately and use the SIEM's correlation engine to link them.
Batch Conversion
In Lab 8.6, you will convert multiple rules at once. Sigma-cli supports directory-level conversion:
# Convert all rules in a directory
sigma convert -t opensearch -p windows /opt/sigma-rules/rules/windows/process_creation/
# Convert and save to file
sigma convert -t opensearch -p windows rules/ > converted_rules.ndjson
# Convert with specific output format
sigma convert -t opensearch -p windows --output-format json rules/
Key Takeaways
sigma convert -t <backend> -p <pipeline> rule.ymltransforms Sigma YAML into SIEM-specific queries- The backend determines the output format (OpenSearch, Splunk, Elastic, etc.)
- The pipeline maps Sigma's abstract field names to the target SIEM's concrete field names
- The same Sigma rule produces different output for each SIEM — this is the portability Sigma provides
- Deploying to Wazuh means creating an OpenSearch alert monitor with the converted query
- Common conversion failures include unmapped fields, unsupported logsource categories, and aggregation/correlation features
- Batch conversion allows deploying dozens or hundreds of rules at once from the SigmaHQ repository
- Some detections are better written as native Wazuh XML rules rather than converted from Sigma
What's Next
You can convert rules and deploy them. But deploying is just the beginning — every rule generates noise. In Lesson 8.5, you will learn the art of tuning: taking a noisy rule that fires 200 times a day and reducing it to fewer than 5 alerts without missing real threats. Lab 8.5 gives you a pre-deployed noisy rule to fix.
Knowledge Check: Sigma Conversion
10 questions · 70% to pass
What is the correct sigma-cli command to convert a Sigma rule to Wazuh/OpenSearch format with Windows field mappings?
In the Sigma conversion process, what is the role of a 'pipeline'?
When converting a Sigma rule with Image|endswith: '\\powershell.exe' to OpenSearch, what does the output look like?
In Lab 8.3, you deploy a converted Sigma rule to Wazuh. What is the deployment mechanism in Wazuh's OpenSearch Dashboards?
A sigma convert command fails with: 'Field TargetObject is not mapped in the pipeline.' What is the most likely fix?
Why might a Sigma rule with 'condition: selection | count(IpAddress) > 5' fail to convert to some backends?
In Lab 8.4, you convert a threat-report-based Sigma rule and deploy it. Which command lists all available sigma-cli backends?
When deploying a converted Sigma rule to Wazuh, what should the trigger condition be set to?
When is it better to write a native Wazuh XML rule instead of converting from Sigma?
In Lab 8.6, you will batch-convert rules from SigmaHQ. What sigma-cli feature enables converting an entire directory of rules at once?
0/10 answered