Being able to run Sigma searches against data in Insight would be hugely beneficial. Every single SIEM competitor to Rapid7 has integrated with them, please can we look at integrating with this project! Additional points for allowing YARA queries in IDR.
10 Likes
Hi @ben_cuthbert,
thank you so much for your feedback.
We currently are not supporting Sigma in IDR, but thank you for your input, we are going to review it and let you know 
Glad to know update on sigma query support
Hi,
Unfortunately, we still don’t have Sigma on our roadmap.
For now, you can always ingest dana as custom logs and from there use our Custom Parser for the ability to create custom parsing rules for log events to extract the data you need.
Thank you so much,
Mirela
Would love to be able to build a sigma to log search convertor. But integration could be a really massive change to IDR, at least on the custom rules part.
I know I keep going on about this but there’s now a sigma convertor for every other SIEM on the market that InsightIDR competes with : https://uncoder.io/
Rapid7 risks losing the detection race if they don’t pay attention to this…
1 Like
@ben_cuthbert a couple months back I looked into what it would take to write a Sigma backend for InsightIDR. Sadly the complexity was beyond my capacity and skill. Since then, I see there is now a new pySigma library that has changed the way Sigma handles backends (it involves things called Processing Pipelines and Resolvers 
). I am going to take another look as time allows. Hopefully the Sigma project maintainers will release some better documentation on how to write backends for different SIEMs and someone in our community (or within R7) can tackle it!
2 Likes
Hello!
I am really pleased to share that I’ve created a Sigma backend for InsightIDR using the pySigma codebase, which I am now maintaining under the SigmaHQ umbrella.
GitHub - SigmaHQ/pySigma-backend-insightidr
There’s a couple different ways to use the backend. You can use it in a script as I’ve done in the Usage example on the GitHub page, or you can install the Sigma CLI package (GitHub - SigmaHQ/sigma-cli: The Sigma command line interface based on pySigma) for an experience more like the legacy sigmac tool.
To use it as a script, you can install pySigma first, then the InsightIDR backend (these are being maintained separately now). I like using pip to install Python packages, so I would use commands like these below to install the libraries:
python -m pip install pysigma
python -m pip install pysigma-backend-insightidr
There are some limitations to the backend which you can read about, most significantly that it currently only supports process creation, DNS query, and web proxy events. I hope to add more log source support in the future, as well as provide more sample scripts that would show how the pySigma backend could be used with the InsightIDR REST API, such as through InsightIDR4Py. There is also one bug with keyword searching that I will fix soon.
Hope this is useful to folks! Also, if anyone at Rapid7 is interested I would LOVE to demo, collaborate on, or even pass ownership of this backend to you folks.
Micah
6 Likes
Hi @mbabinski ,
Sean from IDR Product team here.
This is inspiring - fantastic work! We will be in touch shortly as you suggested. A demo would be great.
cheers,
Sean
4 Likes
Has any more progress been made on this? It is a pretty basic functionality that a majority of all other SIEMs already have integrations for.
Hello, has anything been done in this space? We are very interested in having integrations with Sigma/Yara but keep seeing the same vague copy/paste answer everywhere I look.
1 Like
Hello! There is a pySigma backend/plugin for InsightIDR. You can find it here: GitHub - SigmaHQ/pySigma-backend-insightidr
I maintain this project and am always open to feedback. Hoping to add support for some more log sources when time allows. 
Micah Babinski (@MicahBabinski)
1 Like
This is awesome! I saw your work merged to the official project and available in https://sigconverter.io/
There are rules that throw an error like the one below. Is it really that IDR doesn’t support these fields or is it they are not ingested or parsed by default?
*Error: The InsightIDR backend does not support the CurrentDirectory, IntegrityLevel, or imphash fields for process start rules.*
Sorry, I was too excited and didn’t read.
The InsightIDR backend supports the following log entry/rule types:
Process start events DNS query events Web proxy events Firewall events Ingress authentication events
No worries! This is because process start events in InsightIDR use Windows security event 4688, which doesn’t have quite as many fields as Sysmon event 1.
I wonder why IDR uses win events for processs start and not sysmon. Drives me nuts.
Hi @afaugno we use the windows security log for certain event codes, listed here Insight Agents with InsightIDR | InsightIDR Documentation
However we do use Sysmon for process start collection see here Sysmon Installer and Events Monitor - how the Insight Agent implements these components for use with InsightIDR and MDR | Insight Agent Documentation
It’s possible your Org may not be leveraging Sysmon correctly/fully. As there are certain conditions which will prevent sysmon from functioning. If you look on your machine for the presence of Sysmon installer it should have a log associated which indicates whether Sysmon is running and has the Rapid7 config applied.
Hi.
When installing the IDR agent, we use the standard installer nothing special. What sysmon config does that use?
When I just checked my event log Microsoft-Windows-Sysmon/Operational it start from: 12/11/2023
Also in my Log Search, under “Endpoint Activity” I have the following:
- “Local Service Creation”
- “Netbios Poisoning”
- “Process Start Events”
- “Sysmon”
If I run a query just on the “Sysmon” index I only get the following “EID”:
- 3
- 8
- 10
- 13
- 25