# Sigma Rules

An abstracted yaml configuration setup as an universal notation format which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...

* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)

Specify IOC or troubleshooting issues in a data format that can be shared and versionized.  
This specified configuration can be translated to multiple different tools as specific queries.

* [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide)

## Fields

A minimal configuration should contain at least the following fields
* title
* id (UUID)
* status
* description
* logsource
* detection
* condition

Additional fields may be
* falsePositives
* levels
* tags

[![Sigma Fields](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)

## Filters

Filter can be used to specify detection
```sh
File|endswith
CommandLine|contains
CommandLine|startswith
```

## Transform Modifiers

A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.

## Tools

* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
* [pySigma](https://github.com/SigmaHQ/pySigma)
* [Uncoder.io](https://uncoder.io/)
* [Sigmac](https://github.com/SigmaHQ/sigma/tree/8bb3379b6807610d61d29db1d76f5af4840b8208/tools)