Views:

Learn how to import Sigma rules for conversion into TrendAI Vision One™ custom filters.

Important
Important
  • TrendAI Vision One™ allows you to import open-source Sigma rules from the SigmaHQ main rule repository for conversion into custom detection filters. The SigmaHQ community maintains a large repository of ready-to-use detection rules covering endpoint, network, cloud, and third-party log sources. Rules from other sources may use unsupported syntax or field names and could fail to convert.
  • Many Sigma rules target log sources that cannot be automatically converted. Conversion fails when the rule logsource.category or logsource.service is not in the supported list. Common examples include unsupported categories (such as category: firewall, category: application) and application-specific services (such as service: okta, service: github, and service: zeek). If your rule log source is not supported, you can verify that relevant logs are available before manually creating a custom filter or use a filter template from TrendAI Vision One™ to create a filter.
  • For more information about unsupported Sigma rule syntax, see Unsupported Sigma rule syntax.

Procedure

  1. Go to Agentic SIEM and XDRDetection Model ManagementCustom filters.
  2. Click Add filters and select Import from computer from the drop-down menu.
  3. On the Import custom filters window, click ZIP or YAML tab and click Select file.
  4. Select the ZIP or YAML file containing Sigma rules from your local computer.
  5. On the Unable to import tab, edit and validate files with supported formats. Remove files with unsupported formats.
  6. On the Edit Sigma rules and convert to TrendAI Vision One™ format window, edit the Sigma rule and click Convert to convert the format.
    Note
    Note
    • Metadata fields such as author, references, and falsepositives are preserved in the converted YAML file for reference but do not affect detection logic.
    • Complex modifier chains such as contains|all and windash might require manual adjustment.
    • Rules from other repositories such as SOCPRIME and Elastic might successfully convert the format if the standard Sigma format and supported logsource categories are used.
  7. Click Save.
  8. After editing or removing all files unable to import, click Import (number) files to begin the file import.
    TrendAI Vision One™ saves and enables the custom filter. This action might require a few minutes before taking effect.
Related information