SIGMA Detection Attributes

Detection Attribute

SIGMA Detection section is the core for SIGMA rule, underlying engine interprets content of this section validates, evaluate the logic for detection. Detection Attribute is made of two parts – Search Identifiers & the Condition Attributes.

Search-Identifiers

Search-Identifiers represent ‘what an analyst would want to search for’ on the given log data. A SIGMA rule can contain a single or multiple search-identifiers. Search-Identifier are up made of LISTS or MAPS, where “LISTS” contain a list of values (elements) and "MAPS" (Key-Value pair) that includes Event-IDs, Values, Strings.

LISTS are often represented with a "–" dash bullet implying logical "OR", Selection can have any number of elements in a list, all are joined with logical 'OR'.

Detection Search-Identifier (LIST Example)

Detection Search-Identifier (LIST Example)
`### LISTS Example detection: selection: ParentImage\|endswith: - '\cmd.exe' - '\powershell.exe' condition: selection`
Condition evaluates & matches: `(ParentImage == '\cmd.exe' OR ParentImage == '\powershell.exe')`

### LISTS Example
detection:
  selection:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection

Condition evaluates & matches: (ParentImage == '\cmd.exe' OR ParentImage == '\powershell.exe')

MAPS are Key-Value pairs, where 'Key' is the field name of the log data, and 'Value' is the data (string/integer) value in given log data, Selection can have any number of Key-Value pairs, all are joined with logical 'AND'

Detection Search-Identifier (MAPS Example)

Detection Search-Identifier (MAPS Example)
`### MAPS Example detection: selection: Image\|endswith: '\wmic.exe' CommandLine\|contains: ' /node:' condition: selection`
Condition evaluates & matches: `(Image == 'wmic.exe' AND CommandLine == '/node:')`

### MAPS Example
detection:
  selection:
    Image|endswith: '\wmic.exe'	 
    CommandLine|contains: ' /node:' 
  condition: selection

Condition evaluates & matches: (Image == 'wmic.exe' AND CommandLine == '/node:')

Value Modifiers

Value Modifiers can be used to modify values in a rule, Value Modifiers can change search-identifier behavior and are attached to the end of a field name after the pipe “|” character.

Value Modifier	What changes, when value modifiers are used	Example
endswith	Adds ‘*’ to the beginning of the field value	ParentImage\|endswith
startswith	Adds ‘*’ to the end of the field value	Image\|startswith
contains	Adds ‘*’ to beginning & end of the field value	CommandLine\|contains
all	Changes the default list behavior from ‘or’ to ‘and’	CommandLine\|contains\|all

Value Modifier

What changes, when value modifiers are used

Example

endswith

Adds ‘*’ to the beginning of the field value

ParentImage|endswith

startswith

Adds ‘*’ to the end of the field value

Image|startswith

contains

Adds ‘*’ to beginning & end of the field value

CommandLine|contains

all

Changes the default list behavior from ‘or’ to ‘and’

CommandLine|contains|all

Condition Expression

Condition Attributes uses logical operators to link elements in Search-Identifiers together, defining how the detection engine will process each search-identifiers in relation to others. Search-Identifiers can be grouped using parenthesis — e.g. (selection1 and selection2) or selection3, Condition attribute supports the following expressions to link and evaluate search-identifiers:

Condition Operators	Example
Logical operators AND/OR	selection1 OR selection2
1/all of search-identifier	1 of selection*
1/all of them	all of them
Negation with ‘NOT’	selection1 AND NOT filter
Order of operation ‘()’	1 of selection* AND NOT (filter1 or filter2)

Condition Operators

Example

Logical operators AND/OR

selection1 OR selection2

1/all of search-identifier

1 of selection*

1/all of them

all of them

Negation with ‘NOT’

selection1 AND NOT filter

Order of operation ‘()’

1 of selection* AND NOT (filter1 or filter2)