Sigma, created by Florian Roth and Thomas Patzke, is a generic and open signature format for SIEM systems. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. With Sigma Rules, researchers can detect almost every pattern in any log which is stored.
Supported formats include Splunk, QRadar, ArcSight, Elasticsearch (Elastalert, Query strings, DSL, Watcher, & Kibana), and Logpoint. Sigma uses the most reliable method such as solving logging signature problem, and it enables analytics to re-use and share across the organizations
?Why do we need Sigma
Threat hunters and security analysts use Sigma to analyze logs and log patterns to find out known or unknown threats. The format is very flexible, easy to write, and applicable to any type of log file. It is the only SIEM solution to use the same or similar working mechanisms. Sigma is an open standard in which detection mechanisms can be defined, shared, and collected to improve the detection capabilities for everyone.
: Some of the use cases for Sigma include
Describe the detection methods and make them available.
Invest in generating rules for Sigma and use on many different (e.g. SIEM) systems.
Share the signature as an appendix of your analysis.
Use the format to share the signature with other threat intel communities.
Download or clone the repository
Check the ./rulessub directory for an overview on the rule base
Run python sigmac –helpin folder ./tools to get a help on the rule converter
Convert a rule of your choice with sigmaclike ./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml
Convert a whole rule directory with python sigmac -t splunk -r ../rules/proxy/
Check the ./tools/configfolder and the wiki if you need custom field or log source mappings in your environment
To learn more about Sigma, read the official GitHub page for more information: Generic Signature Format for SIEM Systems