Skip to content

Usage

droid is able to:

  • Validate the content of the rules
  • Convert the Sigma rules
  • Perform ad-hoc search on the platform and report for findings
  • Export (deploy) the rules
  • Check the integrity of the rules on platforms
Note

droid is a command line tool.

  • Make sure to precise the droid configuration file using -cf
  • You can select a directory (this will load all the rules within sub-directories) or a single rule
  • You can generate a JSON logging file using -j

Validate

Note

This requires a validation configuration, see here.

droid -cf droid_config.toml --platform microsoft_xdr \
--rules sigma/sigmahq-core/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml \
--validate

Convert

droid -cf droid_config.toml --platform splunk \
--rules rules/sigma/ \
--compile -d
Info

If you want to use the Sigma filters, you can store your filters in a directory and use the sigma_filters_directory parameter. See the configuration.

Note

This features works only with the supported platforms.

Info

droid will report for findings as per the configured search timerange in your configuration. If there is any hit, it will raise a warning but not an error exit-code.

droid -cf droid_config.toml --platform microsoft_sentinel \
--rules sigma/sigmahq-core/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml \
--search

You can use the search feature to use Microsoft XDR converted rules with Microsoft Sentinel as a search head. This will use your Microsoft Sentinel setup to search. It's also compatible with the -mssp mode.

droid -cf droid_config.toml --platform microsoft_xdr \
--rules sigma/sigmahq-core/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml \
--search --sentinel-xdr

MSSP

Currently the MSSP mode is available for Microsoft Sentinel.

droid -cf droid_config.toml --platform microsoft_sentinel --rules sigma/sigmahq-core/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml --search --mssp

Test using Atomic Red Team

Example

This feature is under development, stay tuned!

Export

Info

If you have set one or multiple rule with any of the custom field disabled or removed as True, droid will make sure it is set as disabled or remove the detection rule if it exists on the platform.

droid -cf droid_config.toml --platform splunk \
--rules rules/rules/sigma/ \
--export -d

Integrity

Info

This feature verify if the id, description and rule search match the platform's saved search.

droid -cf droid_config.toml --platform splunk \
--rules rules/rules/sigma/ \
--integrity -d