A Comprehensive Guide to Sigma Rules

Sigma, created by Florian Roth and Thomas Patzke, is a generic and open signature format for SIEM systems. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. With Sigma Rules, researchers can detect almost every pattern in any log which is stored.

Supported formats include Splunk, QRadar, ArcSight, Elasticsearch (Elastalert, Query strings, DSL, Watcher, & Kibana), and Logpoint. Sigma uses the most reliable method such as solving logging signature problem, and it enables analytics to re-use and share across the organizations

?Why do we need Sigma

Threat hunters and security analysts use Sigma to analyze logs and log patterns to find out known or unknown threats. The format is very flexible, easy to write, and applicable to any type of log file. It is the only SIEM solution to use the same or similar working mechanisms. Sigma is an open standard in which detection mechanisms can be defined, shared, and collected to improve the detection capabilities for everyone.

: Some of the use cases for Sigma include

Describe the detection methods and make them available.

Invest in generating rules for Sigma and use on many different (e.g. SIEM) systems.

Share the signature as an appendix of your analysis.

Use the format to share the signature with other threat intel communities.

Rule Usage

Download or clone the repository

Check the ./rulessub directory for an overview on the rule base

Run python sigmac –helpin folder ./tools to get a help on the rule converter

Convert a rule of your choice with sigmaclike ./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml

Convert a whole rule directory with python sigmac -t splunk -r ../rules/proxy/

Check the ./tools/configfolder and the wiki if you need custom field or log source mappings in your environment

To learn more about Sigma, read the official GitHub page for more information: Generic Signature Format for SIEM Systems

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *