Incoming feed - SigmaHQ Rules Feed

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

	Specifications
Transport type	SigmaHQ Rules Feed
Content type	Sigma Rule JSON
Description	Retrieves Sigma rules from the Sigma rules GitHub repository . Each rule is ingested as an indicator entity, which can then be used in your investigations on EclecticIQ Intelligence Center.

Overview

The SigmaHQ Rules Feed retrieves all Sigma files from the Sigma rules GitHub repository and ingests them as indicators.

The first time a feed using this transport type runs, it downloads a complete archive of Sigma rules GitHub repository and ingests it.

When the feed runs next, it checks for commits to the repository since the last feed run. If there are new commits, this feed retrieves the changed files and ingests them.

Configure the incoming feed

1. Create or edit an incoming feed.

2. Under Transport and content, fill out these fields:

   Note

   Required fields are marked with an asterisk (*).

   Field	Description
   Transport type*	Select SigmaHQ Rules Feed from the drop-down menu.
   Content type*	Select Sigma Rule JSON from the drop-down menu.
   API key	(Optional) You can provide a GitHub API token.

3. Store your changes by selecting Save.