Suggestion: Default to Unquoted Strings in Sigma Specification

[Res260]

The YAML specification 1.2.2 (latest) specifies:

1.1. Goals
The design goals for YAML are, in decreasing priority:
1 YAML should be easily readable by humans.
2 YAML data should be portable between programming languages.
3 YAML should match the native data structures of dynamic languages.
4 YAML should have a consistent model to support generic tools.
5 YAML should support one-pass processing.
6 YAML should be expressive and extensible.
7 YAML should be easy to implement and use.

Regarding strings, it also specifies:

The plain (unquoted) style has no identifying indicators and provides no form of escaping. It is therefore the most readable, most limited and most context sensitive style.

However, the Sigma specification asks for quotes for strings:

The rule files are written in yaml format To keep the rules interoperable use the following:

• UTF-8
• LF for the line break (the Windows native editor uses CR-LF)
• Indentation of 4 spaces
• Lowercase keys (e.g. title, id, etc.)
• Single quotes ' for strings and numeric values don't use any quotes (if the string contains a single quote, double quotes may be used instead)

However, this only seems respected in the selections block of the rules, as seen in the example rule:

title: Whoami Execution
description: Detects a whoami.exe execution
references:
      - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
author: Florian Roth
date: 2019/10/23
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image: 'C:\Windows\System32\whoami.exe'      <-- ***Here***
    condition: selection
level: high

Since punctuation like quotes adds clutter to the rule, that all the fields in the rules don't use quotes for this reason, and to respect the first goal of YAML, I suggest that the specification changes its guideline to the following:

The rule files are written in yaml format To keep the rules interoperable use the following:
[...]

• Do not use any quote for strings, unless it contains # ' ", it starts or end by white space caracters or the string starts with any of these caracters: : ? [ ] { } , & * ! | > % @ \n \r \t. To use line feed (\n) or tab caracters (\t), use double quotes ". For any other case, use single quotes '.

Example:

title: Test rule
description: Test rule for specification
author: Émilio Gonzalez
date: 2023/07/19
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image: C:\Windows\System32\whoami.exe
        FileName: whoami.exe
        Author: "'threatactor1\t"
        DateWritten: 2023-01-14 12:34:56
        SomeOtherField: ':something:'
    condition: selection
level: high

This example is made to have all the quote possibilities, but realistically, the vast majority of rules do not require quotes at all, which would make most sigma rules more readable.