killchain-compendium/Miscellaneous/Sigma Rules.md

# Sigma Rules

An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)


## Fields

A minimal configuration should contain at least the following fields
* title
* id
* status
* description
* logsource
* detection

Additional fields may be
* falsePostivives
* levels
* tags

## Transform Modifiers

A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.

## Tools

* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
* [pySigma](https://github.com/SigmaHQ/pySigma)
* [Uncoder.io](https://uncoder.io/)
bump 2022-12-20 01:06:22 +01:00			`# Sigma Rules`

			`An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...`
			`* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)`


			`## Fields`

			`A minimal configuration should contain at least the following fields`
			`* title`
			`* id`
			`* status`
			`* description`
			`* logsource`
			`* detection`

			`Additional fields may be`
			`* falsePostivives`
			`* levels`
			`* tags`

			`## Transform Modifiers`

			A detection selection can be refined through setting a pipe `\|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.

			`## Tools`

			`* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)`
			`* [pySigma](https://github.com/SigmaHQ/pySigma)`
			`* [Uncoder.io](https://uncoder.io/)`