BluSapphire
Search…
Introduction
Product Videos
Unified Cyber Defense Platform
The Stack
Features and capabilities
Operations
Architecture
Integration
Cisco pxGrid Integration
MITRE ATT&CK
MITRE ATT&CK Coverage by Tactic
MITRE ATT&CK Coverage by Technique
BluArmour Endpoint Protection
BluArmour For ICS / AirGapped Networks
BluArmour Pre-Deployment Checklist & Roll out Process
Deploy BluArmour via SCCM
BluGenie
SIGMA Rules
SIGMA Detection Attributes
Understanding SIGMA Rule
Creating SIGMA Rule
Use cases
Threat Intel Sources
Windows Logging Recommendations
Lateral Movement Logging Recommendations
Windows Advanced Auditing Recommendations
GPO for Service Account, WinRM and WMI
Log Forwarding - How To
Mirror / SPAN port configuration
Cloud Log Forwarding
Deploy Micro-Agent/Sysmon via GPO
Threat Hunt
Appendix A
Powered By GitBook
SIGMA Detection Attributes

Detection Attribute

SIGMA Detection section is the core for SIGMA rule, underlying engine interprets content of this section validates, evaluate the logic for detection. Detection Attribute is made of two parts – Search Identifiers & the Condition Attributes.
Detection Attribute Section

Search-Identifiers

Search-Identifiers represent ‘what an analyst would want to search for’ on the given log data. A SIGMA rule can contain a single or multiple search-identifiers. Search-Identifier are up made of LISTS or MAPS, where “LISTS” contain a list of values (elements) and "MAPS" (Key-Value pair) that includes Event-IDs, Values, Strings.
  • LISTS are often represented with a "–" dash bullet implying logical "OR", Selection can have any number of elements in a list, all are joined with logical 'OR'.
Detection Search-Identifier (LIST Example)
1
### LISTS Example
2
detection:
3
selection:
4
ParentImage|endswith:
5
- '\cmd.exe'
6
- '\powershell.exe'
7
condition: selection
Copied!
Condition evaluates & matches: (ParentImage == '\cmd.exe' OR ParentImage == '\powershell.exe')
  • MAPS are Key-Value pairs, where 'Key' is the field name of the log data, and 'Value' is the data (string/integer) value in given log data, Selection can have any number of Key-Value pairs, all are joined with logical 'AND'
Detection Search-Identifier (MAPS Example)
1
### MAPS Example
2
detection:
3
selection:
4
Image|endswith: '\wmic.exe'
5
CommandLine|contains: ' /node:'
6
condition: selection
Copied!
Condition evaluates & matches: (Image == 'wmic.exe' AND CommandLine == '/node:')
LISTS-MAPS

Value Modifiers

Value Modifiers can be used to modify values in a rule, Value Modifiers can change search-identifier behavior and are attached to the end of a field name after the pipe “|” character.
Value Modifier
What changes, when value modifiers are used
Example
endswith
Adds ‘*’ to the beginning of the field value
ParentImage|endswith
startswith
Adds ‘*’ to the end of the field value
Image|startswith
contains
Adds ‘*’ to beginning & end of the field value
CommandLine|contains
all
Changes the default list behavior from ‘or’ to ‘and’
CommandLine|contains|all

Condition Expression

Condition Attributes uses logical operators to link elements in Search-Identifiers together, defining how the detection engine will process each search-identifiers in relation to others. Search-Identifiers can be grouped using parenthesis — e.g. (selection1 and selection2) or selection3, Condition attribute supports the following expressions to link and evaluate search-identifiers:
Condition Operators
Example
Logical operators AND/OR
selection1 OR selection2
1/all of search-identifier
1 of selection*
1/all of them
all of them
Negation with ‘NOT’
selection1 AND NOT filter
Order of operation ‘()’
1 of selection* AND NOT (filter1 or filter2)
Previous
SIGMA Rules
Next
Understanding SIGMA Rule
Last modified 4mo ago
Copy link
Contents
Detection Attribute
Search-Identifiers
Value Modifiers
Condition Expression