# SIGMA Rules

### What is Sigma ?

While we've Snort rules for detecting Network Traffic, Yara Signatures for identifying suspicious files, consider Sigma rules for searching/pattern matching through log data.&#x20;

Sigma is a generic and open signature format that allows analysts to write & describe searches on log data in a straightforward manner. These rules can be converted and applied to many log management or SIEM systems.&#x20;

Writing Sigma rules is easy and follows the YAML format, which is quite flexible to accommodate custom fields.&#x20;

**Note:** It is strongly advisable to use an IDE like VSCode (free from Microsoft) to edit / work with Sigma files. They natively support YAML formatting and can help you save a lot of heartburn w\.r.t to YAML formatting.&#x20;

### Rule structure

Structure of SIGMA rule quite simple to understand, rule consists of few mandatory attributes and others optional ones. Lets understand the rule structure and attributes within, a sigma rule can be grouped into three sections “Metadata, Logsource, Detection”.

1. **Metadata:** This section has fields that are common across all Sigma rules. It consists of the id, title, author, status, description, references, date, level and tags
   * Date \[optional]: The date the rule was created.&#x20;
   * Status \[optional]: Indicates the status of the rule and takes three different values.
   * Description \[optional]: Rule description Author \[optional]: Person who has written the rule.
   * References \[optional]: Keyword references can be written in this section.&#x20;
   * Level \[optional]: The criticality level of the rule should be written. Low, Medium, High, Critical.
   * Tags \[optional]: Tag rule, keep it short e.g attack.t1035
2. **Logsource:** This section describes the log data on which the detection is meant to be applied. It consists of three sub-attributes which define the details of the log source. Log Source consists of category, product, service and type fields, and can define as
   * Category – e.g.: Firewall, Proxy, Web, Antivirus, Process\_Creation&#x20;
   * Product – e.g.: Windows, Apache, Symantec&#x20;
   * Service – e.g.: System, AppLocker, Security, Sysmon
   * Definition – e.g.: Information that describes the log source&#x20;
3. **Detection:** This section is made of two parts – Search Identifiers & the Condition Attributes and is core for any sigma rule, will get in more detailed in next article.

![SIGMA Rule Structure](https://2078222076-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MMRHZBPHlLDUc8519fX%2Fuploads%2FT81q0jWBtUc9ehB63Hj5%2FSIGMA_Structure.jpg?alt=media\&token=a37bf293-a671-426f-b19c-e7ebe10cd825)