SIGMA Detection section is the core for SIGMA rule, underlying engine interprets content of this section validates, evaluate the logic for detection. Detection Attribute is made of two parts – Search Identifiers & the Condition Attributes.
Detection Attribute Section
Search-Identifiers
Search-Identifiers represent ‘what an analyst would want to search for’ on the given log data. A SIGMA rule can contain a single or multiple search-identifiers. Search-Identifier are up made of LISTS or MAPS, where “LISTS” contain a list of values (elements) and "MAPS" (Key-Value pair) that includes Event-IDs, Values, Strings.
LISTS are often represented with a "–" dash bullet implying logical "OR", Selection can have any number of elements in a list, all are joined with logical 'OR'.
MAPS are Key-Value pairs, where 'Key' is the field name of the log data, and 'Value' is the data (string/integer) value in given log data, Selection can have any number of Key-Value pairs, all are joined with logical 'AND'
Value Modifiers can be used to modify values in a rule, Value Modifiers can change search-identifier behavior and are attached to the end of a field name after the pipe “|” character.
Value Modifier
What changes, when value modifiers are used
Example
endswith
Adds ‘*’ to the beginning of the field value
ParentImage|endswith
startswith
Adds ‘*’ to the end of the field value
Image|startswith
contains
Adds ‘*’ to beginning & end of the field value
CommandLine|contains
all
Changes the default list behavior from ‘or’ to ‘and’
CommandLine|contains|all
Condition Expression
Condition Attributes uses logical operators to link elements in Search-Identifiers together, defining how the detection engine will process each search-identifiers in relation to others. Search-Identifiers can be grouped using parenthesis — e.g. (selection1 and selection2) or selection3, Condition attribute supports the following expressions to link and evaluate search-identifiers: