Skip to main content

How to Translate Detection Content

S
Written by Sergey Bayrachny

Uncoder AI automatically translates detection content:

  • From the platform-agnostic Sigma format to any supported platform format with default and alternative data schemas such as OCSF

  • Between platform-specific formats. For example, from Splunk Query into Elasticsearch Query:

    • This functionality is available only for a limited number of platforms

    • Only certain advanced functions are supported by the native Uncoder conversion engine. If a part of the source (such as an advanced function) cannot be translated natively, it is translated with AI

  • From a default data schema to OSCF for the same platform

  • Between different formats of the same platform (for example, from Microsoft Sentinel Query to Microsoft Sentinel Rule)

How to translate:

  1. Go to the Translate mode in Uncoder AI.

  2. Paste the source content item in the input panel or upload it from a file.

    To paste a Sigma rule from Threat Detection Marketplace:

    1. Type a search term in the search bar

    2. Select the repo type and repo to search

    3. Optionally, filter the results

    4. Choose a detection.

    If the detection has the Premium status, you can unlock it using your team's balance of Premium Sigma rules under your organization's Threat Detection Marketplace subscription plan. An unlocked rule becomes available to your team in Uncoder AI and in the Threat Detection Marketplace.

    The code of the unlocked Sigma rule will be automatically inserted into the input panel.

  3. The platform (language) of your source detection is automatically detected in the source language dropdown. Ensure it is correct or modify it if needed.

    Notes:

    • Start typing the name of the platform in the dropdown to filter the options

    • Click the star next to a platform name to add it to your favorites, which are always displayed at the top of the list

  4. Select the platform format of the desired target in the dropdown.

    Notes:

    • Start typing the name of the platform in the dropdown to filter the options

    • Click the star next to a platform name to add it to your favorites, which are always displayed at the top of the list

  5. Optionally, customize the rule:

    1. Set a different data schema.

    2. Set additional customization profiles (note that configuring these profiles is available only with the Enterprise subscription):

      1. Custom Field Mapping

      2. Preset

      3. Filter

  6. Click Translate.

  7. The translation is displayed in the output panel. For translations from native platforms, two targets are generated:

    • Sigma to capture the core logic

    • Selected target platform

    If there are any errors during translation or the selected target does not support the same fields or functionality as the source, you'll be informed about it through the Debug Console.

  8. Optionally, you can click the arrows between the source and target formats to swap input and output.

    After that, you can translate the new input into other formats.

Save Your Translation

Optionally, you can save your translation as a new rule or add it to an existing rule in your custom repository.

Save as a New Rule

  1. Click Save As > New Rule in the panel with the content.

  2. Fill in saving parameters:

    • Save to. Select the custom repository to save your content.

    • Platform. Double-check the selected platform to make sure everything is correct.

    • Content Name. Give your content a name. In the case of a Sigma rule, this field is pre-filled with the Sigma title.

    • Description. Provide a description of your content.

  3. Click Save.

Add a New Translation to an Existing Rule

  1. Select Save As > Update to my Rule in the panel with the translation you want to add.

  2. If the panel with the translation was on the right, it will move to the left and the saving settings will appear. Note that you cannot change the custom repository for saving. Ensure the platform and content name are correct, add an optional description, and click Save.

  3. If you now want to update the current translation and save the updated version, select Save As > Update to my Rule and ensure that the current platform name is selected in the Platform field of the saving settings.

To learn more about working with custom repositories, go here.

Next Steps

After you've ensured that the generated rule/query fits your needs and preferences, you can:

  • Save it to a custom repository

  • Copy it to the clipboard and paste it into your system or download the rule/query as a file

  • Deploy it to a SIEM or push it to a Git repository

  • Translate it into a different language

  • Validate its syntax and structure

  • Optimize the query

  • Group query results

  • Get its short summary, full summary, or decision tree

  • Make custom modifications with AI

Supported Platforms

To find out what platforms (languages) are supported, see this article.

Did this answer your question?