SigmaHQ/README.md

[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma)

![sigma_logo](./images/Sigma_0.3.png)

# Sigma

Generic Signature Format for SIEM Systems

# What is Sigma

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.

This repository contains:

* Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)
* Open repository for sigma signatures in the `./rules`subfolder
* A converter that generate searches/queries for different SIEM systems [work in progress]

![sigma_description](./images/Sigma-description.png)

## Hack.lu 2017 Talk

[![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")

# Use Cases

* Describe your detection method in Sigma to make it sharable
* Write and your SIEM searches in Sigma to avoid a vendor lock-in
* Share the signature in the appendix of your analysis along with IOCs and YARA rules
* Share the signature in threat intel communities - e.g. via MISP
* Provide Sigma signatures for malicious behaviour in your own application

# Why Sigma

Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. 

Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. 

## Slides

See the first slide deck that I prepared for a private conference in mid January 2017.

[Sigma - Make Security Monitoring Great Again](https://www.slideshare.net/secret/gvgxeXoKblXRcA)

# Specification

The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification). 

The current specification is a proposal. Feedback is requested.

# Getting Started

## Rule Creation

Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.

## Rule Usage 

1. Download or clone the respository
2. Check the `./rules` sub directory for an overview on the rule base
3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment

# Examples

Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)
![sigma_rule example2](./images/Sigma_rule_example2.png)

Sysmon: Remote Thread Creation in LSASS Process
![sigma_rule example1](./images/Sigma_rule_example1.png)

Web Server Access Logs: Web Shell Detection
![sigma_rule example3](./images/Sigma_rule_example3.png)

Sysmon: Web Shell Detection
![sigma_rule example4](./images/Sigma_rule_example4.png)

Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation
![sigma_rule example5](./images/Sigma_rule_example5.png)

# Sigma Tools 

## Sigmac 

Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.

![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)

### Supported Targets

* [Splunk](https://www.splunk.com/) (plainqueries and dashboards)
* [ElasticSearch Query Strings](https://www.elastic.co/)
* [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)
* [Kibana](https://www.elastic.co/de/products/kibana)
* [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)
* [Logpoint](https://www.logpoint.com)
* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)
* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)
* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)
* [Qualys](https://www.qualys.com/apps/threat-protection/)
* [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)
* [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support

Current work-in-progress
* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)

New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.

### Requirements

The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.

### Installation

It's available on PyPI. Install with:

```bash
pip3 install sigmatools
```

Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:

```bash
pip3 install -r tools/requirements.txt
```

For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:

```bash
pip3 install -r tools/requirements-devel.txt
```

## Evt2Sigma

[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. 

## Contributed Scripts

The directory `contrib` contains scripts that were contributed by the community:

* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool
  uses *sigmac* and expects it in its path.

These tools are not part of the main toolchain and maintained separately by their authors.

# Next Steps

* Integration of MITRE ATT&CK framework identifier to the rule set
* Integration into Threat Intel Exchanges
* Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms

# Projects that use Sigma

* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)
* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing 
* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints

# Licenses

The content of this repository is released under the following licenses:

* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.
* Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).

# Credits

This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.

Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)
Changed Travis status image URL to main repository 2017-08-07 06:38:07 +00:00			`[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma)`
formatting 2017-07-30 15:48:34 +00:00
Update README.md 2016-12-24 10:56:10 +00:00			`![sigma_logo](./images/Sigma_0.3.png)`

Update README.md 2016-12-26 01:23:34 +00:00			`# Sigma`
README Update: Rule creation tutorial, smaller fixes 2018-02-10 14:24:43 +00:00
README Update 2017-02-06 19:03:57 +00:00			`Generic Signature Format for SIEM Systems`
Update README.md 2016-12-26 01:23:34 +00:00
README Update: Rule creation tutorial, smaller fixes 2018-02-10 14:24:43 +00:00			`# What is Sigma`
Update README.md 2016-12-26 01:23:34 +00:00
Update README.md 2017-02-06 23:24:10 +00:00			`Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.`
Update README.md 2016-12-26 10:14:15 +00:00
Added Thomas' hack.lu talk 2017-10-18 13:51:58 +00:00			`Sigma is for log files what [Snort](https://www.snort.org/) is for network traffic and [YARA](https://github.com/VirusTotal/yara) is for files.`
Update README.md 2016-12-26 01:23:34 +00:00
Update README.md 2017-02-06 23:24:10 +00:00			`This repository contains:`

			`* Sigma rule specification in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification)`
Reduced tests to supported Python versions and improved README 2017-12-07 21:17:45 +00:00			* Open repository for sigma signatures in the `./rules`subfolder
Merge branch 'master' into devel-sigmac 2017-02-19 21:15:18 +00:00			`* A converter that generate searches/queries for different SIEM systems [work in progress]`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
Updated README 2018-03-20 22:54:00 +00:00			`![sigma_description](./images/Sigma-description.png)`

Added Thomas' hack.lu talk 2017-10-18 13:51:58 +00:00			`## Hack.lu 2017 Talk`

			`[![Sigma - Generic Signatures for Log Events](https://preview.ibb.co/cMCigR/Screen_Shot_2017_10_18_at_15_47_15.png)](https://www.youtube.com/watch?v=OheVuE9Ifhs "Sigma - Generic Signatures for Log Events")`

Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00			`# Use Cases`

Updated README 2018-06-25 16:29:02 +00:00			`* Describe your detection method in Sigma to make it sharable`
			`* Write and your SIEM searches in Sigma to avoid a vendor lock-in`
			`* Share the signature in the appendix of your analysis along with IOCs and YARA rules`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00			`* Share the signature in threat intel communities - e.g. via MISP`
Updated README 2018-06-25 16:29:02 +00:00			`* Provide Sigma signatures for malicious behaviour in your own application`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
			`# Why Sigma`

			`Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.`
Update README.md 2017-02-06 23:24:10 +00:00
Updated README 2018-06-25 16:29:02 +00:00			`Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
			`## Slides`
Update README.md 2017-02-06 23:24:37 +00:00
README Update 2017-02-06 19:03:57 +00:00			`See the first slide deck that I prepared for a private conference in mid January 2017.`

			`[Sigma - Make Security Monitoring Great Again](https://www.slideshare.net/secret/gvgxeXoKblXRcA)`

README Update Specs 1 2017-01-07 21:39:06 +00:00			`# Specification`

Update README.md 2017-02-06 23:24:10 +00:00			`The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification).`
README Update 2017-02-06 19:03:57 +00:00
Update README.md 2017-03-01 07:55:06 +00:00			`The current specification is a proposal. Feedback is requested.`
README Update 2017-02-06 19:03:57 +00:00
README Update: Rule creation tutorial, smaller fixes 2018-02-10 14:24:43 +00:00			`# Getting Started`

Updated README 2018-06-25 16:29:02 +00:00			`## Rule Creation`

README Update: Rule creation tutorial, smaller fixes 2018-02-10 14:24:43 +00:00			`Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started.`

Updated README 2018-06-25 16:29:02 +00:00			`## Rule Usage`

			`1. Download or clone the respository`
			2. Check the `./rules` sub directory for an overview on the rule base
			3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter
			4. Convert a rule of your choice with `sigmac` like `python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml`
			5. Convert a whole rule directory with `python sigmac -t splunk -r ../rules/proxy/`
			6. Check the `./tools/config` folder and the [wiki](https://github.com/Neo23x0/sigma/wiki/Converter-Tool-Sigmac) if you need custom field or log source mappings in your environment

New Screenshot Section in README 2017-02-12 16:10:48 +00:00			`# Examples`

			`Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental)`
			`![sigma_rule example2](./images/Sigma_rule_example2.png)`

			`Sysmon: Remote Thread Creation in LSASS Process`
			`![sigma_rule example1](./images/Sigma_rule_example1.png)`

			`Web Server Access Logs: Web Shell Detection`
			`![sigma_rule example3](./images/Sigma_rule_example3.png)`

			`Sysmon: Web Shell Detection`
			`![sigma_rule example4](./images/Sigma_rule_example4.png)`

			`Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation`
			`![sigma_rule example5](./images/Sigma_rule_example5.png)`

Updated README 2018-06-25 16:29:02 +00:00			`# Sigma Tools`
Evt2Sigma 2018-05-28 07:13:08 +00:00
			`## Sigmac`
Reduced tests to supported Python versions and improved README 2017-12-07 21:17:45 +00:00
			`Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the`
			Sigma library that may be used to integrate Sigma support in other projects. Further, there's `merge_sigma.py` which
			`merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.`
Sigmac Screenshot 2017-03-01 07:48:39 +00:00
			`![sigmac_converter](./images/Sigmac-win_susp_rc4_kerberos.png)`

Reduced tests to supported Python versions and improved README 2017-12-07 21:17:45 +00:00			`### Supported Targets`
Brought README up-to-date with the newest devs 2017-03-27 08:46:43 +00:00
Updated backends in README 2018-07-17 21:34:53 +00:00			`* [Splunk](https://www.splunk.com/) (plainqueries and dashboards)`
			`* [ElasticSearch Query Strings](https://www.elastic.co/)`
README Update 2018-05-12 06:33:31 +00:00			`* [ElasticSearch Query DSL](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl.html)`
Updated README 2018-03-20 22:54:00 +00:00			`* [Kibana](https://www.elastic.co/de/products/kibana)`
Reduced tests to supported Python versions and improved README 2017-12-07 21:17:45 +00:00			`* [Elastic X-Pack Watcher](https://www.elastic.co/guide/en/x-pack/current/xpack-alerting.html)`
Brought README up-to-date with the newest devs 2017-03-27 08:46:43 +00:00			`* [Logpoint](https://www.logpoint.com)`
Added WDATP in the list of supported backends 2018-06-25 16:09:21 +00:00			`* [Windows Defender Advanced Threat Protection (WDATP)](https://www.microsoft.com/en-us/windowsforbusiness/windows-atp)`
Updated backends in README 2018-07-17 21:34:53 +00:00			`* [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview)`
			`* [QRadar](https://www.ibm.com/de-de/marketplace/ibm-qradar-siem)`
			`* [Qualys](https://www.qualys.com/apps/threat-protection/)`
Added PowerShell as target, updated project list 2018-09-24 11:44:14 +00:00			`* [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/getting-started/getting-started-with-windows-powershell?view=powershell-6)`
			`* [Grep](https://www.gnu.org/software/grep/manual/grep.html) with Perl-compatible regular expression support`
Updated README 2018-03-20 22:54:00 +00:00
README Update 2018-05-12 06:33:31 +00:00			`Current work-in-progress`
			`* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)`

			New targets are continuously developed. You can get a list of supported targets with `sigmac --target-list` or `sigmac -l`.
Brought README up-to-date with the newest devs 2017-03-27 08:46:43 +00:00
Reduced tests to supported Python versions and improved README 2017-12-07 21:17:45 +00:00			`### Requirements`

Updated README 2018-06-25 16:29:02 +00:00			`The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.`
Reduced tests to supported Python versions and improved README 2017-12-07 21:17:45 +00:00
PyPI release documentation 2017-12-08 23:23:34 +00:00			`### Installation`

			`It's available on PyPI. Install with:`

README Update: Rule creation tutorial, smaller fixes 2018-02-10 14:24:43 +00:00			```bash
PyPI release documentation 2017-12-08 23:23:34 +00:00			`pip3 install sigmatools`
			```

Updated README 2018-03-20 22:54:00 +00:00			`Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:`

			```bash
			`pip3 install -r tools/requirements.txt`
			```

			For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with:

			```bash
			`pip3 install -r tools/requirements-devel.txt`
			```

Updated README 2018-06-25 16:29:02 +00:00			`## Evt2Sigma`

			`[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry.`

Added notice regarding contributed tools 2018-03-04 19:55:55 +00:00			`## Contributed Scripts`

			The directory `contrib` contains scripts that were contributed by the community:

			* `sigma2elastalert.py`i by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool
			`uses sigmac and expects it in its path.`

			`These tools are not part of the main toolchain and maintained separately by their authors.`

README Update: Rule creation tutorial, smaller fixes 2018-02-10 14:24:43 +00:00			`# Next Steps`
README Update Specs 1 2017-01-07 21:39:06 +00:00
Updated README 2018-06-25 16:29:02 +00:00			`* Integration of MITRE ATT&CK framework identifier to the rule set`
MISP added 2018-05-28 07:15:48 +00:00			`* Integration into Threat Intel Exchanges`
New Screenshot Section in README 2017-02-12 16:10:48 +00:00			`* Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms`
Mayor update Why Sigma, intro changed 2017-02-19 10:03:30 +00:00
Brought README up-to-date with the newest devs 2017-03-27 08:46:43 +00:00			`# Projects that use Sigma`

MISP added 2018-05-28 07:15:48 +00:00			`* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)`
Brought README up-to-date with the newest devs 2017-03-27 08:46:43 +00:00			`* [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App)`
Updated README 2018-06-25 16:29:02 +00:00			`* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)`
Update README.md 2018-06-25 16:58:05 +00:00			`* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing`
Added PowerShell as target, updated project list 2018-09-24 11:44:14 +00:00			`* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches`
Added SPARK Sigma rule scan feature to list 2018-06-28 14:28:07 +00:00			`* [SPARK](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints`
Re-licensing toolchain under LGPLv3 Thanks to Ben de Haan and Devin Ferguson for permission for this change. 2017-12-07 20:55:43 +00:00
			`# Licenses`

			`The content of this repository is released under the following licenses:`

			* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html).
			`* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain.`
			* Everything else, especially the rules contained in the `rules/` directory is released under the [GNU General Public License](https://www.gnu.org/licenses/gpl-3.0.en.html).
Updated README 2018-06-25 16:29:02 +00:00
			`# Credits`

			`This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.`

			`Copyright for Tree Image: [studiobarcelona / 123RF Stock Photo](http://www.123rf.com/profile_studiobarcelona)`