Sigma Extension

cmd1775 · June 27, 2025, 7:12pm

Hello, I am having an issue with one customer organization where Sigma rules are not updating. I think this might be a permissions issue but not sure how to resolve this.

maximelb · June 27, 2025, 7:17pm

Any errors in the Platform Errors section?
Can you send us the OID?

cmd1775 · June 27, 2025, 7:24pm

Hello, I do not see any errors in the platform logs. I have also noticed I am unable to disable any sigma rules because I do not have the dr.set.replicant permission. This permission is not listed as an available permission for my user.
I will send you the OID in a PM.

maximelb · June 29, 2025, 2:13pm

Ok, it looks like the sync rule (named “ext-ext-sigma-update”) was removed at some point in that org. It should be in the “dr-managed” Hive.

I tried to look at our logs to see when it happened but couldn’t find it so it might have been removed a long time ago.

The fix should be simple:

Unsubscribe from ext-sigma
Wait 1 minute (to make sure there’s nothing left at all from the old instance, there’s a lot of rules that get removed)
Resubscribe to ext-sigma

In theory you could re-create the rule but it’s going to be more of a pain than the subscription approach.

cmd1775 · June 29, 2025, 5:32pm

Hello,
I have unsubscribed and subscribed again and now I am seeing all of the rules. I also now see the “ext-sigma-update” rule.

I am unable to disable a sigma rule. When I try I receive the message “Not allowed, missing dr.set.replicant permission”. This permission is not listed as an available permission under my user.

Also, the Sigma extension lists the following granted permissions. I do not see the dr.del.replicant or the dr.list.prelicant permissions under my user either.
dr.del.replicant
dr.list.replicant
dr.set.replicant
org.get
dr.del.managed
dr.list.managed
dr.set.managed

maximelb · June 29, 2025, 5:38pm

That permission is not expected to ever be given to a user, that is how we protect some of the automation rules.

I suspect this may actually be a bug in the web app where it’s trying to update the rule, by disabling it, in a way that it requires the full permission. But in theory you should be able to do it with the metadata permission which you should have. I will try to replicate a little bit later to confirm.

cmd1775 · June 30, 2025, 2:22am

In the GUI I can disable a Sigma rule from the D&R Rules page. Where I see the error is if you click into a Sigma rule, then disable the rule and try to click the Update button.

system · July 7, 2025, 2:23am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sigma Extension Feature Request Feature Requests	0	17	March 18, 2025
LOLRMM Sigma Feature Requests	2	66	April 21, 2025
Community Rules Support	5	24	June 25, 2025
DnR Rules page - ability to sort Status column Feature Requests	1	23	June 10, 2025
New Release: Web App 4.4.0, AI Powered community rules Release Notes	0	21	June 17, 2025

Sigma Extension

Related topics