31 lines
702 B
Markdown
31 lines
702 B
Markdown
# Sigma Rules
|
|
|
|
An abstracted yaml configuration setup which can be converted into multiple queries like Splunk, Kibana, Yara etc. ...
|
|
* [SigmaHQ's repo](https://github.com/SigmaHQ/sigma.git)
|
|
|
|
|
|
## Fields
|
|
|
|
A minimal configuration should contain at least the following fields
|
|
* title
|
|
* id
|
|
* status
|
|
* description
|
|
* logsource
|
|
* detection
|
|
|
|
Additional fields may be
|
|
* falsePostivives
|
|
* levels
|
|
* tags
|
|
|
|
## Transform Modifiers
|
|
|
|
A detection selection can be refined through setting a pipe `|` followed by the modifier `contains`, `endswith`, `startswith` and `all`.
|
|
|
|
## Tools
|
|
|
|
* [sigma-cli](https://github.com/SigmaHQ/sigma-cli)
|
|
* [pySigma](https://github.com/SigmaHQ/pySigma)
|
|
* [Uncoder.io](https://uncoder.io/)
|