- Common, agnostic language
- Avoid vendor login
- Support multiple SIEM
Info from: SOC Prime - see https://socprime.com/blog/sigma-rules-the-beginners-guide/
Sharing the SIGMA rule allows it to be ingested and converted to the required query language.
As of August 2022 - No support for Cylance
SIGMA are YAML based rules. SOC Prime has a large public repository and covers
The rest are just meta-data.
-
Security Talks with SOC Prime: All About SIGMA
- By Adam Swan of SOC Prime - Youtube and SOC Prime
-
How To Write SIGMA Rules - By Florian Roth
-
A Guide to Generic Log Sources in SIGMA - Thomas Patzke
-
90% of queries are matching - Does field A contain Z? Starts with, ends with, etc.
-
Also matching and correlation - Does Field A contain value Y more than twice over 1 minute - only supported by some vendors.
detection:
selection:
fieldA|contains: 'x'
banana:
fieldB|endswith: 'y'
filter:
fieldsC|startswith: 'z'
condition:
(selection OR banana) AND NOT filter