SIGMA Rules

What is Sigma ?

While we've Snort rules for detecting Network Traffic, Yara Signatures for identifying suspicious files, consider Sigma rules for searching/pattern matching through log data.

Sigma is a generic and open signature format that allows analysts to write & describe searches on log data in a straightforward manner. These rules can be converted and applied to many log management or SIEM systems.

Writing Sigma rules is easy and follows the YAML format, which is quite flexible to accommodate custom fields.

Note: It is strongly advisable to use an IDE like VSCode (free from Microsoft) to edit / work with Sigma files. They natively support YAML formatting and can help you save a lot of heartburn w.r.t to YAML formatting.

Rule structure

Structure of SIGMA rule quite simple to understand, rule consists of few mandatory attributes and others optional ones. Lets understand the rule structure and attributes within, a sigma rule can be grouped into three sections “Metadata, Logsource, Detection”.

  1. Metadata: This section has fields that are common across all Sigma rules. It consists of the id, title, author, status, description, references, date, level and tags

    • Date [optional]: The date the rule was created.

    • Status [optional]: Indicates the status of the rule and takes three different values.

    • Description [optional]: Rule description Author [optional]: Person who has written the rule.

    • References [optional]: Keyword references can be written in this section.

    • Level [optional]: The criticality level of the rule should be written. Low, Medium, High, Critical.

    • Tags [optional]: Tag rule, keep it short e.g attack.t1035

  2. Logsource: This section describes the log data on which the detection is meant to be applied. It consists of three sub-attributes which define the details of the log source. Log Source consists of category, product, service and type fields, and can define as

    • Category – e.g.: Firewall, Proxy, Web, Antivirus, Process_Creation

    • Product – e.g.: Windows, Apache, Symantec

    • Service – e.g.: System, AppLocker, Security, Sysmon

    • Definition – e.g.: Information that describes the log source

  3. Detection: This section is made of two parts – Search Identifiers & the Condition Attributes and is core for any sigma rule, will get in more detailed in next article.

Last updated