Creating SIGMA Rule

Rules to be followed

Following are some basic rules to be followed while writing a sigma rule:

Follows YAML format, use only spaces (no tabs).
All values are case-insensitive strings
You can make use of wildcard characters '*' and '?' in strings e.g., '*\cmd.exe'
Wildcards can be escaped with '\' e.g., '*'
Special Field Values:
- Null values are defined with 'null'
- Empty value is defined with ''

Note: It is strongly advisable to use an IDE like VSCode (free from Microsoft) to edit / work with Sigma files. They natively support YAML formatting and can help you save a lot of heartburn w.r.t to YAML formatting.

Creating New Rule from Portal

Steps on creation/modification and deployment of new/existing sigma rules from within Blusapphire SIEM Portal.

Step 1: From Blusapphire portal, navigate to “Rule Management" page available under “Entity Behavior” menu item.

Step 2: To create a new rule, click on “New” button available on top right side. As described earlier in this document:

Provide an appropriate rule name

2. Provide the required metadata fields

3. Provide required Logsource as per specifications, define the search-identifiers (selection/filters) for the rule and the condition expression.

5. Finally check, validate and save the new rule.

6. Newly created rules will be enabled by default.

Update Existing Rule from Portal

To update an existing rule from portal, Navigate to “Rule Management" page under “Entity Behavior” menu item.

Use filters to search for an existing rule

2. Make the required changes in the rule, validate and save.

PreviousUnderstanding SIGMA Rule Next09_CaseHub

Last updated 2 years ago