killchain-compendium/Miscellaneous/Threat Intelligence/Sigma Rules.md

49 lines
1.4 KiB
Markdown

# Sigma Rules
An abstracted yaml configuration setup as an universal notation format which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
Specify IOC or troubleshooting issues in a data format that can be shared and versionized.
This specified configuration can be translated to multiple different tools as specific queries.
* [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide)
## Fields
A minimal configuration should contain at least the following fields
* title
* id (UUID)
* status
* description
* logsource
* detection
* condition
Additional fields may be
* falsePositives
* levels
* tags
[![Sigma Fields](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)](https://github.com/SigmaHQ/sigma/blob/master/images/Sigma_Schema.png?raw=true)
## Filters
Filter can be used to specify detection
```sh
File|endswith
CommandLine|contains
CommandLine|startswith
```
## Transform Modifiers
A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
## Tools
* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
* [pySigma](https://github.com/SigmaHQ/pySigma)
* [Uncoder.io](https://uncoder.io/)
* [Sigmac](https://github.com/SigmaHQ/sigma/tree/8bb3379b6807610d61d29db1d76f5af4840b8208/tools)