-
Notifications
You must be signed in to change notification settings - Fork 42
/
sigma-detection-rule-schema.json
247 lines (247 loc) · 8.73 KB
/
sigma-detection-rule-schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
{
"$schema": "https://json-schema.org/draft/2020-12/schema#",
"title": "Sigma rule specification V2.0.0 (2024-08-08)",
"type": "object",
"required": ["title", "logsource", "detection"],
"properties": {
"title": {
"type": "string",
"maxLength": 256,
"description": "A brief title for the rule that should contain what the rules is supposed to detect"
},
"id": {
"type": "string",
"description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
"format": "uuid"
},
"related": {
"type": "array",
"description": "A list of related Sigma rules to keep track of the relationships between detections. This can be used to indicate that a rule is derived from another rule, or that a rule has been obsoleted by another rule.",
"items": {
"type": "object",
"required": ["id", "type"],
"properties": {
"id": {
"type": "string",
"description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
"format": "uuid"
},
"type": {
"type": "string",
"oneOf": [
{
"const": "derived",
"description": "The rule was derived from the referred rule or rules, which may remain active"
},
{
"const": "obsolete",
"description": "The rule obsoletes the referred rule or rules, which aren't used anymore"
},
{
"const": "merged",
"description": "The rule was merged from the referred rules. The rules may be still existing and in use"
},
{
"const": "renamed",
"description": "The rule had previously the referred identifier or identifiers but was renamed for whatever reason, e.g. from a private naming scheme to UUIDs, to resolve collisions etc. It's not expected that a rule with this id exists anymore"
},
{
"const": "similar",
"description": "Use to relate similar rules to each other (e.g. same detection content applied to different log sources, rule that is a modified version of another rule with a different level)"
}
]
}
}
}
},
"name": {
"type": "string",
"maxLength": 256,
"description": "a unique human-readable name that can be used instead of the id as a reference in correlation rules"
},
"taxonomy":{
"type": "string",
"maxLength": 256,
"description": "Defines the taxonomy used in the Sigma rule"
},
"status": {
"type": "string",
"oneOf": [
{
"const": "stable",
"description": "The rule didn't produce any obvious false positives in multiple environments over a long period of time"
},
{
"const": "test",
"description": "The rule doesn't show any obvious false positives on a limited set of test systems"
},
{
"const": "experimental",
"description": "A new rule that hasn't been tested outside of lab environments and could lead to many false positives"
},
{
"const": "deprecated",
"description": "The rule was replaced or is now covered by another one. The link between both rules is made via the `related` field"
},
{
"const": "unsupported",
"description": "The rule can not be used in its current state (special correlation log, home-made fields, etc.)"
}
]
},
"description": {
"type": "string",
"description": "A short description of the rule and the malicious activity that can be detected",
"maxLength": 65535
},
"license": {
"type": "string",
"description": "License of the rule according the SPDX ID specification (https://spdx.dev/ids/)"
},
"author": {
"type": "string",
"description": "Creator of the rule. (can be a name, nickname, twitter handle, etc.)"
},
"references": {
"type": "array",
"description": "References to the source that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"date": {
"type": "string",
"description": "Creation date of the rule. Use the ISO 8601 format YYYY-MM-DD",
"pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$"
},
"modified": {
"type": "string",
"description": "Last modification date of the rule. Use the ISO 8601 format YYYY-MM-DD",
"pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$"
},
"logsource": {
"type": "object",
"description": "The log source that the rule is supposed to detect malicious activity in.",
"properties": {
"category": {
"description": "Group of products, like firewall or process_creation",
"type": "string"
},
"product": {
"description": "A certain product, like windows",
"type": "string"
},
"service": {
"description": "A subset of a product's logs, like sshd",
"type": "string"
},
"definition":{
"description": "can be used to describe the log source",
"type": "string"
}
}
},
"detection": {
"type": "object",
"required": ["condition"],
"description": "A set of search-identifiers that represent properties of searches on log data",
"additionalProperties": {
"description": "A Search Identifier: A definition that can consist of two different data structures - lists and maps.",
"anyOf": [
{
"type": "array",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "integer"
},
{
"type": "object",
"items": {
"type": "string"
}
}
]
}
},
{
"type": "object",
"items": {
"type": "string"
}
}
]
},
"properties": {
"condition": {
"type": "string",
"description": "The relationship between the search identifiers to create the detection logic. Ex: selection1 or selection2"
}
}
},
"fields": {
"type": "array",
"description": "A list of log fields that could be interesting in further analysis of the event and should be displayed to the analyst",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"falsepositives": {
"description": "A list of known false positives that may occur",
"uniqueItems": true,
"type": "array",
"items": {
"type": "string",
"minLength": 2
}
},
"level": {
"type": "string",
"description": "The criticality of a triggered rule",
"oneOf": [
{
"const": "informational",
"description": "Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules"
},
{
"const": "low",
"description": "Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended"
},
{
"const": "medium",
"description": "Relevant event that should be reviewed manually on a more frequent basis"
},
{
"const": "high",
"description": "Relevant event that should trigger an internal alert and requires a prompt review"
},
{
"const": "critical",
"description": "Highly relevant event that indicates an incident. Critical events should be reviewed immediately. It is used only for cases in which probability borders certainty"
}
]
},
"tags": {
"description": "Tags to categorize a Sigma rule.",
"type": "array",
"uniqueItems": true,
"items": {
"type": "string",
"pattern": "^[a-z0-9_-]+\\.[a-z0-9._-]+$"
}
},
"scope":{
"description": "A list of intended scope of the rule",
"type": "array",
"items": {
"type": "string",
"minLength": 2
}
}
}
}