How do I search for Sigma Rules by CVE ID?

Take for example this rule:

Has the CVE tag cve.2024.1212

How can I filter this in CTI Butler?

This search will give you what you want:

FOR doc IN sigma_rules_vertex_collection
    FILTER doc.external_references != null AND IS_ARRAY(doc.external_references)
    FILTER "CVE-2021-21551" IN (FOR ref IN doc.external_references RETURN ref.external_id)
    FILTER doc._is_latest == true
    LET keys = ATTRIBUTES(doc)
    LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
    RETURN KEEP(doc, filteredKeys)
[
  {
    "created": "2021-05-05T00:00:00.000Z",
    "created_by_ref": "identity--860f4c0f-8c26-5889-b39d-ce94368bc416",
    "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551. The following false positives can result from this detection; Legitimate BIOS driver updates (should be rare)",
    "external_references": [
      {
        "source_name": "sigma-rule",
        "url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml",
        "external_id": "rule"
      },
      {
        "source_name": "sigma-rule",
        "description": "21b23707-60d6-41bb-96e3-0f0481b0fed9",
        "external_id": "id"
      },
      {
        "source_name": "sigma-rule",
        "description": "high",
        "external_id": "level"
      },
      {
        "source_name": "sigma-rule",
        "description": "experimental",
        "external_id": "status"
      },
      {
        "source_name": "sigma-rule",
        "description": "Florian Roth (Nextron Systems)",
        "external_id": "author"
      },
      {
        "source_name": "ATTACK",
        "description": "tactic",
        "external_id": "privilege_escalation"
      },
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21551",
        "external_id": "CVE-2021-21551"
      },
      {
        "source_name": "mitre-attack",
        "url": "https://attack.mitre.org/techniques/T1543",
        "external_id": "T1543"
      },
      {
        "source_name": "mitre-attack",
        "url": "https://attack.mitre.org/techniques/T1068",
        "external_id": "T1068"
      },
      {
        "source_name": "sigma-rule",
        "description": "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/",
        "external_id": "reference"
      }
    ],
    "id": "indicator--990b4b4a-4f4c-5e01-aaf5-e994a8881a83",
    "indicator_types": [
      "malicious-activity",
      "anomalous-activity"
    ],
    "modified": "2022-12-30T00:00:00.000Z",
    "name": "Vulnerable Dell BIOS Update Driver Load",
    "object_marking_refs": [
      "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
      "marking-definition--860f4c0f-8c26-5889-b39d-ce94368bc416"
    ],
    "pattern": "{'title': 'Vulnerable Dell BIOS Update Driver Load', 'id': '21b23707-60d6-41bb-96e3-0f0481b0fed9', 'status': 'experimental', 'description': 'Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551', 'references': ['https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/'], 'author': 'Florian Roth (Nextron Systems)', 'date': '2021/05/05', 'modified': '2022/12/30', 'tags': ['attack.privilege_escalation', 'cve.2021.21551', 'attack.t1543', 'attack.t1068'], 'logsource': {'category': 'driver_load', 'product': 'windows'}, 'detection': {'selection_image': {'ImageLoaded|contains': '\\\\DBUtil_2_3.Sys'}, 'selection_sysmon': {'Hashes|contains': ['SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5', 'SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1', 'SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD', 'SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25', 'MD5=C996D7971C49252C582171D9380360F2', 'MD5=D2FD132AB7BBC6BBB87A84F026FA0244']}, 'selection_hash': [{'sha256': ['0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1']}, {'sha1': ['c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25']}, {'md5': ['c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244']}], 'condition': '1 of selection*'}, 'falsepositives': ['Legitimate BIOS driver updates (should be rare)'], 'level': 'high'}",
    "pattern_type": "sigma",
    "spec_version": "2.1",
    "type": "indicator",
    "valid_from": "2021-05-05T00:00:00Z"
  },
  {
    "created": "2022-11-10T00:00:00.000Z",
    "created_by_ref": "identity--860f4c0f-8c26-5889-b39d-ce94368bc416",
    "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges. The following false positives can result from this detection; Legitimate driver loads (old driver that didn't receive an update)",
    "external_references": [
      {
        "source_name": "sigma-rule",
        "url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml",
        "external_id": "rule"
      },
      {
        "source_name": "sigma-rule",
        "description": "ac683a42-877b-4ff8-91ac-69e94b0f70b4",
        "external_id": "id"
      },
      {
        "source_name": "sigma-rule",
        "description": "high",
        "external_id": "level"
      },
      {
        "source_name": "sigma-rule",
        "description": "experimental",
        "external_id": "status"
      },
      {
        "source_name": "sigma-rule",
        "description": "Florian Roth (Nextron Systems)",
        "external_id": "author"
      },
      {
        "source_name": "ATTACK",
        "description": "tactic",
        "external_id": "privilege_escalation"
      },
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21551",
        "external_id": "CVE-2021-21551"
      },
      {
        "source_name": "mitre-attack",
        "url": "https://attack.mitre.org/techniques/T1543",
        "external_id": "T1543"
      },
      {
        "source_name": "sigma-rule",
        "description": "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities",
        "external_id": "reference"
      },
      {
        "source_name": "sigma-rule",
        "description": "https://github.com/alfarom256/CVE-2022-3699/",
        "external_id": "reference"
      }
    ],
    "id": "indicator--f66786bb-a6fd-50e6-a403-965b2abb31fa",
    "indicator_types": [
      "malicious-activity",
      "anomalous-activity"
    ],
    "modified": "2022-12-30T00:00:00.000Z",
    "name": "Vulnerable Lenovo Driver Load",
    "object_marking_refs": [
      "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
      "marking-definition--860f4c0f-8c26-5889-b39d-ce94368bc416"
    ],
    "pattern": "{'title': 'Vulnerable Lenovo Driver Load', 'id': 'ac683a42-877b-4ff8-91ac-69e94b0f70b4', 'status': 'experimental', 'description': 'Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges', 'references': ['https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities', 'https://github.com/alfarom256/CVE-2022-3699/'], 'author': 'Florian Roth (Nextron Systems)', 'date': '2022/11/10', 'modified': '2022/12/30', 'tags': ['attack.privilege_escalation', 'cve.2021.21551', 'attack.t1543'], 'logsource': {'category': 'driver_load', 'product': 'windows'}, 'detection': {'selection_sysmon': {'Hashes|contains': ['SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE', 'SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F', 'MD5=B941C8364308990EE4CC6EADF7214E0F']}, 'selection_hash': [{'sha256': 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe'}, {'sha1': 'b89a8eef5aeae806af5ba212a8068845cafdab6f'}, {'md5': 'b941c8364308990ee4cc6eadf7214e0f'}], 'condition': '1 of selection*'}, 'falsepositives': [\"Legitimate driver loads (old driver that didn't receive an update)\"], 'level': 'high'}",
    "pattern_type": "sigma",
    "spec_version": "2.1",
    "type": "indicator",
    "valid_from": "2022-11-10T00:00:00Z"
  },
  {
    "created": "2022-11-16T00:00:00.000Z",
    "created_by_ref": "identity--860f4c0f-8c26-5889-b39d-ce94368bc416",
    "description": "Detects driver load of the Process Hacker tool. The following false positives can result from this detection; Legitimate use of process hacker or system informer by developers or system administrators",
    "external_references": [
      {
        "source_name": "sigma-rule",
        "url": "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/driver_load/driver_load_win_pua_process_hacker.yml",
        "external_id": "rule"
      },
      {
        "source_name": "sigma-rule",
        "description": "67add051-9ee7-4ad3-93ba-42935615ae8d",
        "external_id": "id"
      },
      {
        "source_name": "sigma-rule",
        "description": "high",
        "external_id": "level"
      },
      {
        "source_name": "sigma-rule",
        "description": "test",
        "external_id": "status"
      },
      {
        "source_name": "sigma-rule",
        "description": "Florian Roth (Nextron Systems)",
        "external_id": "author"
      },
      {
        "source_name": "ATTACK",
        "description": "tactic",
        "external_id": "privilege_escalation"
      },
      {
        "source_name": "cve",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21551",
        "external_id": "CVE-2021-21551"
      },
      {
        "source_name": "mitre-attack",
        "url": "https://attack.mitre.org/techniques/T1543",
        "external_id": "T1543"
      },
      {
        "source_name": "sigma-rule",
        "description": "https://processhacker.sourceforge.io/",
        "external_id": "reference"
      }
    ],
    "id": "indicator--5b37c0bf-d41c-57a9-8efc-d8e866a7cb5c",
    "indicator_types": [
      "malicious-activity",
      "anomalous-activity"
    ],
    "modified": "2023-05-08T00:00:00.000Z",
    "name": "PUA - Process Hacker Driver Load",
    "object_marking_refs": [
      "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
      "marking-definition--860f4c0f-8c26-5889-b39d-ce94368bc416"
    ],
    "pattern": "{'title': 'PUA - Process Hacker Driver Load', 'id': '67add051-9ee7-4ad3-93ba-42935615ae8d', 'related': [{'id': '10cb6535-b31d-4512-9962-513dcbc42cc1', 'type': 'similar'}], 'status': 'test', 'description': 'Detects driver load of the Process Hacker tool', 'references': ['https://processhacker.sourceforge.io/'], 'author': 'Florian Roth (Nextron Systems)', 'date': '2022/11/16', 'modified': '2023/05/08', 'tags': ['attack.privilege_escalation', 'cve.2021.21551', 'attack.t1543'], 'logsource': {'category': 'driver_load', 'product': 'windows'}, 'detection': {'selection_image': {'ImageLoaded|endswith': '\\\\kprocesshacker.sys'}, 'selection_processhack_sysmon': {'Hashes|contains': ['IMPHASH=821D74031D3F625BCBD0DF08B70F1E77', 'IMPHASH=F86759BB4DE4320918615DC06E998A39', 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18', 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0']}, 'selection_processhack_hashes': {'Imphash': ['821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0']}, 'condition': '1 of selection_*'}, 'falsepositives': ['Legitimate use of process hacker or system informer by developers or system administrators'], 'level': 'high'}",
    "pattern_type": "sigma",
    "spec_version": "2.1",
    "type": "indicator",
    "valid_from": "2022-11-16T00:00:00Z"
  }
]