49 lines
1.4 KiB
Markdown
49 lines
1.4 KiB
Markdown
|
# Sigma Rules
|
||
|
|
||
|
An abstracted yaml configuration setup as an universal notation format which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
|
||
|
|
||
|
* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
|
||
|
|
||
|
Specify IOC or troubleshooting issues in a data format that can be shared and versionized.
|
||
|
This specified configuration can be translated to multiple different tools as specific queries.
|
||
|
|
||
|
* [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide)
|
||
|
|
||
|
## Fields
|
||
|
|
||
|
A minimal configuration should contain at least the following fields
|
||
|
* title
|
||
|
* id (UUID)
|
||
|
* status
|
||
|
* description
|
||
|
* logsource
|
||
|
* detection
|
||
|
* condition
|
||
|
|
||
|
Additional fields may be
|
||
|
* falsePositives
|
||
|
* levels
|
||
|
* tags
|
||
|
|
||
|
[![Sigma Fields](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)
|
||
|
|
||
|
## Filters
|
||
|
|
||
|
Filter can be used to specify detection
|
||
|
```sh
|
||
|
File|endswith
|
||
|
CommandLine|contains
|
||
|
CommandLine|startswith
|
||
|
```
|
||
|
|
||
|
## Transform Modifiers
|
||
|
|
||
|
A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
|
||
|
|
||
|
## Tools
|
||
|
|
||
|
* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
|
||
|
* [pySigma](https://github.com/SigmaHQ/pySigma)
|
||
|
* [Uncoder.io](https://uncoder.io/)
|
||
|
* [Sigmac](https://github.com/SigmaHQ/sigma/tree/8bb3379b6807610d61d29db1d76f5af4840b8208/tools)
|