Getting Started - mtnmunuklu/alterix GitHub Wiki

Getting Started with Alterix

To get started with Alterix, follow these steps:

  1. Installation: Download the latest release of Alterix from the GitHub releases page based on your operating system (Windows, Linux, or macOS). Extract the contents of the ZIP file to a directory of your choice. Ensure that the directory containing the Alterix executable is added to your system's PATH environment variable.

  2. Prepare Rules and IOC Data: Alterix supports Sigma, YARA rules, and IOC data. Sigma rules are written in YAML format and can be obtained from the Sigma GitHub repository. YARA rules, used for malware detection, are typically stored in plain text files. IOC data can be in various formats and often includes indicators like IP addresses, domains, URLs, and hashes. You can create your own rules and IOC data or obtain them from various sources.

  3. Obtain Configuration File: Obtain the configuration file for your SIEM product. This file contains the necessary mappings for column names.

  4. Run Alterix: Open a command prompt or terminal and navigate to the directory where you extracted the Alterix executable. Use the following commands to convert rules and IOC data to your SIEM product's query language:

    • For Sigma rules:

      alterix -sigma -filepath <path-to-sigma-rules> -config <path-to-config> [-json] [-output <output-directory>]

    • For YARA rules:

      alterix -yara -filepath <path-to-yara-rules> -config <path-to-config> [-json] [-output <output-directory>]

    • For IOC data:

      alterix -ioc -filepath <path-to-ioc-data> -config <path-to-config> [-json] [-output <output-directory>]

    Replace <path-to-sigma-rules>, <path-to-yara-rules>, or <path-to-ioc-data> with the location of your respective files and <path-to-config> with the location of your configuration file. You can use the optional flags -json to specify JSON output and -output to define the directory for output files.

  5. Review Output: Alterix will process the rules and IOC data and generate the corresponding queries for your SIEM product. The output will be displayed in the console or saved to the specified output directory. Review the generated queries and use them as needed in your SIEM system.

Now you are ready to use Alterix and leverage your Sigma, YARA rules, and IOC data with your SIEM product!