From 404e3437c44512c3958a938f394ce3da6ba0e426 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 11 Aug 2023 08:35:59 +0200
Subject: [PATCH 1/7] sigmahq title first draft

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 sigmahq/sigmahq_title_rule.md | 87 +++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 sigmahq/sigmahq_title_rule.md

diff --git a/sigmahq/sigmahq_title_rule.md b/sigmahq/sigmahq_title_rule.md
new file mode 100644
index 0000000..69fa93d
--- /dev/null
+++ b/sigmahq/sigmahq_title_rule.md
@@ -0,0 +1,87 @@
+# SigmaHQ Rule Conventions <!-- omit in toc -->
+
+This document describes how to write a title for a sigma rule.
+It is impossible to be exhaustive, so it is more of a guide than a standard.
+
+## Summary
+
+- [Summary](#summary)
+- [Generality](#generality)
+- [Structure](#structure)
+  - [Prefix](#prefix)
+  - [Suffix](#suffix)
+  - [Description](#description)
+
+
+## Generality
+
+Bear in mind that the title is the first thing the operator will see.
+It should therefore be used as a clue to guide the consideration of the alert.
+
+The title and level of the rule must be consistent
+
+
+## Structure
+
+Title can be split with "-" : `Prefix - Description - Sufix`
+
+### Prefix
+It is Optional.
+It is used to give a category or type of malware, an APT 
+
+Commun wordding:
+- Hack Tool
+- Lolbin (lolbas)
+- PUA
+- Remote Access Tool
+
+Specific wording example:
+- "ATP27 - "
+- "ATP29 - "
+- "UNC2452 - "
+- "UNC4841 - "
+
+### Suffix
+It is Optional.
+It is used to differentiate the same detection but on a different logsource.
+
+Exemple:
+```yaml
+title: Invoke-Obfuscation Obfuscated IEX Invocation
+title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
+title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
+title: Invoke-Obfuscation Obfuscated IEX Invocation - Security
+title: Invoke-Obfuscation Obfuscated IEX Invocation - System
+```
+
+### Description
+
+The point here is to explain the alert in a meaningful way.
+The title does not need to use the terms "Detect", "Detection" or "Detection".
+
+We use a simple formula to describe the alert.
+Example:
+- "7Zip Compressing ..."
+- "Add User to ..."
+- "Bypass UAC Using ..."
+- "Renamed xxx Execution"
+- "UAC Bypass Using ..."
+
+
+`informational` and `low` are not intended for everyday use and are subject to many false positives.
+The title should therefore be general.
+
+Example : `Net.exe Execution` 
+
+`medium` rules can have false positives and requires further analysis
+Wording :
+- "Suspicious "
+
+
+`high` rules requires a prompt review
+Wording :
+- "Potential "
+
+
+`critical` rules should be reviewed immediately
+The title must therefore be precise.
\ No newline at end of file

From 7d2e66f0ce9fe908aa53919f2f967fc08dfb29c2 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 11 Aug 2023 10:22:37 +0200
Subject: [PATCH 2/7] feat: apply suggestions from code review

---
 sigmahq/sigmahq_title_rule.md | 41 +++++++++++++++++++++--------------
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/sigmahq/sigmahq_title_rule.md b/sigmahq/sigmahq_title_rule.md
index 69fa93d..1e92e8f 100644
--- a/sigmahq/sigmahq_title_rule.md
+++ b/sigmahq/sigmahq_title_rule.md
@@ -1,7 +1,9 @@
 # SigmaHQ Rule Conventions <!-- omit in toc -->
 
-This document describes how to write a title for a sigma rule.
-It is impossible to be exhaustive, so it is more of a guide than a standard.
+This document provide general guidelines and tips on how to write a title for a sigma rule.
+
+Note that this is by no means an exhaustive list, it is meant to be more of a general guide for inspiration and to reduce exchange during PRs
+
 
 ## Summary
 
@@ -15,37 +17,42 @@ It is impossible to be exhaustive, so it is more of a guide than a standard.
 
 ## Generality
 
-Bear in mind that the title is the first thing the operator will see.
-It should therefore be used as a clue to guide the consideration of the alert.
+Bearing in mind that the title is one of the first things that an analyst will see. It should therefore be used as a clue and be clear as possible to guide the consideration of the alert.
 
 The title and level of the rule must be consistent
 
 
+
 ## Structure
 
-Title can be split with "-" : `Prefix - Description - Sufix`
+Titles can be split with "-" : `Prefix - Description - Sufix`
+
+
+### Prefix (Optional)
 
-### Prefix
-It is Optional.
 It is used to give a category or type of malware, an APT 
 
-Commun wordding:
-- Hack Tool
-- Lolbin (lolbas)
+Examples:
+
+- HackTool
 - PUA
 - Remote Access Tool
 
+
 Specific wording example:
 - "ATP27 - "
 - "ATP29 - "
 - "UNC2452 - "
 - "UNC4841 - "
 
-### Suffix
-It is Optional.
-It is used to differentiate the same detection but on a different logsource.
+### Suffix (Optional)
+
+Sometimes the detection are duplicated across different log-source with little changes to their logic. This is common in the case of Process Creation rules targeting the PowerShell process and rules using ScriptBlockText to check for the same. A suffix in this case will be used to offer such distinction.
+
+
+Example:
+
 
-Exemple:
 ```yaml
 title: Invoke-Obfuscation Obfuscated IEX Invocation
 title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
@@ -75,12 +82,14 @@ Example : `Net.exe Execution`
 
 `medium` rules can have false positives and requires further analysis
 Wording :
-- "Suspicious "
+- "Potential "
+
 
 
 `high` rules requires a prompt review
 Wording :
-- "Potential "
+- "Suspicious "
+
 
 
 `critical` rules should be reviewed immediately

From 3bf919db09d8e97f97d49198f381e2df52a53db4 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Fri, 11 Aug 2023 12:59:42 +0200
Subject: [PATCH 3/7] fix: apply suggestions from code review

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 sigmahq/sigmahq_title_rule.md | 39 +++++++++++++++++++++++------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/sigmahq/sigmahq_title_rule.md b/sigmahq/sigmahq_title_rule.md
index 1e92e8f..bbe8abc 100644
--- a/sigmahq/sigmahq_title_rule.md
+++ b/sigmahq/sigmahq_title_rule.md
@@ -1,8 +1,10 @@
 # SigmaHQ Rule Conventions <!-- omit in toc -->
 
-This document provide general guidelines and tips on how to write a title for a sigma rule.
+This document provides general guidelines and tips on how to write titles for sigma rules.
+
+
+Note that this is by no means an exhaustive list. It is meant to be a general guide for inspiration and to have an easily sharable resource for new contributors (e.g. a resource to link at in PR discussions).
 
-Note that this is by no means an exhaustive list, it is meant to be more of a general guide for inspiration and to reduce exchange during PRs
 
 
 ## Summary
@@ -17,7 +19,8 @@ Note that this is by no means an exhaustive list, it is meant to be more of a ge
 
 ## Generality
 
-Bearing in mind that the title is one of the first things that an analyst will see. It should therefore be used as a clue and be clear as possible to guide the consideration of the alert.
+Bearing in mind that the title is one of the first things that an analyst will see. It should therefore be used as a clue and be as clear as possible to guide the assessment of the alert.
+
 
 The title and level of the rule must be consistent
 
@@ -30,7 +33,8 @@ Titles can be split with "-" : `Prefix - Description - Sufix`
 
 ### Prefix (Optional)
 
-It is used to give a category or type of malware, an APT 
+It is used to give a category, type of malware or name a threat actor. The choice depends highly on the type of rule.
+
 
 Examples:
 
@@ -47,7 +51,8 @@ Specific wording example:
 
 ### Suffix (Optional)
 
-Sometimes the detection are duplicated across different log-source with little changes to their logic. This is common in the case of Process Creation rules targeting the PowerShell process and rules using ScriptBlockText to check for the same. A suffix in this case will be used to offer such distinction.
+Sometimes the detections are duplicated across different `logsource`s with little changes to their logic. This is common in the case of Process Creation rules targeting the PowerShell process. Those rules are typically duplicated for the different PowerShell `logsource`s using ScriptBlockText to check for the same characteristics. A suffix in this case will be used to differentiate between the rules of the different `logsource`s.
+
 
 
 Example:
@@ -63,7 +68,8 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - System
 
 ### Description
 
-The point here is to explain the alert in a meaningful way.
+The point of a description is to explain the alert in a meaningful way.
+
 The title does not need to use the terms "Detect", "Detection" or "Detection".
 
 We use a simple formula to describe the alert.
@@ -75,22 +81,29 @@ Example:
 - "UAC Bypass Using ..."
 
 
-`informational` and `low` are not intended for everyday use and are subject to many false positives.
-The title should therefore be general.
+Rules of level `informational` or `low` are not intended to be used to create alerts on their own. Their purpose is to conserve events or criteria of relevance, to be used in correlations or for ideas for threat hunting. A rule of those levels will by definition not create false positives as they should not be used for alerting.
+
+The title should therefore be general and should not indicate that the rule describes suspicious or malicious behaviour.
+
 
 Example : `Net.exe Execution` 
 
-`medium` rules can have false positives and requires further analysis
-Wording :
+`medium` rules can have environment dependent false positives and require a tuning/evaluation phase before deploying to production environments.
+
+Keywords used to indicate this:
+
 - "Potential "
 
 
 
-`high` rules requires a prompt review
-Wording :
+`high` rules requires a prompt review.
+
+Keywords used to indicate this:
+
 - "Suspicious "
 
 
 
-`critical` rules should be reviewed immediately
+`critical` rules should be reviewed with the highest priority.
+
 The title must therefore be precise.
\ No newline at end of file

From 6c0caf123ebae13c78c34ff4e8cf0b5429239eda Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 12 Aug 2023 09:12:07 +0200
Subject: [PATCH 4/7] Update sigmahq/sigmahq_title_rule.md

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 sigmahq/sigmahq_title_rule.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sigmahq/sigmahq_title_rule.md b/sigmahq/sigmahq_title_rule.md
index bbe8abc..5123cbc 100644
--- a/sigmahq/sigmahq_title_rule.md
+++ b/sigmahq/sigmahq_title_rule.md
@@ -70,7 +70,8 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - System
 
 The point of a description is to explain the alert in a meaningful way.
 
-The title does not need to use the terms "Detect", "Detection" or "Detection".
+The title does not need to use the terms "Detect" or "Detection". It doesn't have to be a sentence. A keyword style increases the information density.
+
 
 We use a simple formula to describe the alert.
 Example:

From 4dfc6dc6b9b133831767bf25fcb3081d38af6e66 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 12 Aug 2023 09:12:50 +0200
Subject: [PATCH 5/7] Update sigmahq_title_rule.md

---
 sigmahq/sigmahq_title_rule.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sigmahq/sigmahq_title_rule.md b/sigmahq/sigmahq_title_rule.md
index 5123cbc..72486f3 100644
--- a/sigmahq/sigmahq_title_rule.md
+++ b/sigmahq/sigmahq_title_rule.md
@@ -28,7 +28,7 @@ The title and level of the rule must be consistent
 
 ## Structure
 
-Titles can be split with "-" : `Prefix - Description - Sufix`
+Titles can be split with "-" : `Prefix - Main Title - Sufix`
 
 
 ### Prefix (Optional)
@@ -107,4 +107,4 @@ Keywords used to indicate this:
 
 `critical` rules should be reviewed with the highest priority.
 
-The title must therefore be precise.
\ No newline at end of file
+The title must therefore be precise.

From 0cb3dff2bf9a6634be22fe356ae8f3a024aa990f Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Mon, 14 Aug 2023 09:39:38 +0200
Subject: [PATCH 6/7] Update sigmahq/sigmahq_title_rule.md

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 sigmahq/sigmahq_title_rule.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sigmahq/sigmahq_title_rule.md b/sigmahq/sigmahq_title_rule.md
index 72486f3..9f9e2e0 100644
--- a/sigmahq/sigmahq_title_rule.md
+++ b/sigmahq/sigmahq_title_rule.md
@@ -66,7 +66,8 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - Security
 title: Invoke-Obfuscation Obfuscated IEX Invocation - System
 ```
 
-### Description
+### Main Title
+
 
 The point of a description is to explain the alert in a meaningful way.
 

From a8c80a398805bd0558892d3d45ebe57163c3d533 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Wed, 23 Aug 2023 15:15:56 +0200
Subject: [PATCH 7/7] Update sigmahq_title_rule.md

---
 sigmahq/sigmahq_title_rule.md | 41 ++++++++++++-----------------------
 1 file changed, 14 insertions(+), 27 deletions(-)

diff --git a/sigmahq/sigmahq_title_rule.md b/sigmahq/sigmahq_title_rule.md
index 9f9e2e0..ddc88e8 100644
--- a/sigmahq/sigmahq_title_rule.md
+++ b/sigmahq/sigmahq_title_rule.md
@@ -2,48 +2,39 @@
 
 This document provides general guidelines and tips on how to write titles for sigma rules.
 
-
 Note that this is by no means an exhaustive list. It is meant to be a general guide for inspiration and to have an easily sharable resource for new contributors (e.g. a resource to link at in PR discussions).
 
-
-
 ## Summary
 
 - [Summary](#summary)
 - [Generality](#generality)
 - [Structure](#structure)
-  - [Prefix](#prefix)
-  - [Suffix](#suffix)
-  - [Description](#description)
-
+  - [Prefix (Optional)](#prefix-optional)
+  - [Suffix (Optional)](#suffix-optional)
+  - [Main Title](#main-title)
 
 ## Generality
 
 Bearing in mind that the title is one of the first things that an analyst will see. It should therefore be used as a clue and be as clear as possible to guide the assessment of the alert.
 
-
 The title and level of the rule must be consistent
 
-
-
 ## Structure
 
 Titles can be split with "-" : `Prefix - Main Title - Sufix`
 
-
 ### Prefix (Optional)
 
 It is used to give a category, type of malware or name a threat actor. The choice depends highly on the type of rule.
 
-
 Examples:
 
 - HackTool
 - PUA
 - Remote Access Tool
 
-
 Specific wording example:
+
 - "ATP27 - "
 - "ATP29 - "
 - "UNC2452 - "
@@ -53,11 +44,8 @@ Specific wording example:
 
 Sometimes the detections are duplicated across different `logsource`s with little changes to their logic. This is common in the case of Process Creation rules targeting the PowerShell process. Those rules are typically duplicated for the different PowerShell `logsource`s using ScriptBlockText to check for the same characteristics. A suffix in this case will be used to differentiate between the rules of the different `logsource`s.
 
-
-
 Example:
 
-
 ```yaml
 title: Invoke-Obfuscation Obfuscated IEX Invocation
 title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
@@ -68,27 +56,24 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation - System
 
 ### Main Title
 
-
 The point of a description is to explain the alert in a meaningful way.
 
 The title does not need to use the terms "Detect" or "Detection". It doesn't have to be a sentence. A keyword style increases the information density.
 
-
 We use a simple formula to describe the alert.
 Example:
+
 - "7Zip Compressing ..."
 - "Add User to ..."
 - "Bypass UAC Using ..."
 - "Renamed xxx Execution"
 - "UAC Bypass Using ..."
 
-
 Rules of level `informational` or `low` are not intended to be used to create alerts on their own. Their purpose is to conserve events or criteria of relevance, to be used in correlations or for ideas for threat hunting. A rule of those levels will by definition not create false positives as they should not be used for alerting.
 
-The title should therefore be general and should not indicate that the rule describes suspicious or malicious behaviour.
+The title should therefore be general and should not indicate that the rule describes suspicious or malicious behavior.
 
-
-Example : `Net.exe Execution` 
+Example : `Net.exe Execution`
 
 `medium` rules can have environment dependent false positives and require a tuning/evaluation phase before deploying to production environments.
 
@@ -96,16 +81,18 @@ Keywords used to indicate this:
 
 - "Potential "
 
-
-
 `high` rules requires a prompt review.
 
 Keywords used to indicate this:
 
 - "Suspicious "
 
+`critical` rules should be reviewed immediately
+The title must therefore be precise and indicate the specific threat.
 
+Keywords used to indicate this:
 
-`critical` rules should be reviewed with the highest priority.
-
-The title must therefore be precise.
+- "Malware"
+- "Exploit"
+- "... Attempt"
+- "<Threat Actor> Activity"