mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00

Generic Signature Format for SIEM Systems

Go to file

Florian Roth a6173df0b9 LSASS Remote Thread Update		2017-02-12 16:33:09 +01:00
images	Screenshot Update	2017-02-12 16:32:52 +01:00
rules	LSASS Remote Thread Update	2017-02-12 16:33:09 +01:00
.gitignore	The poor VI(M) users with their swp's!	2017-01-11 20:44:47 +01:00
LICENSE	Initial commit	2016-12-24 10:48:49 +01:00
README.md	Added 'Network Scan' rule (#1 )	2017-02-08 12:41:32 +01:00

README.md

Sigma

Generic Signature Format for SIEM Systems

What is Sigma?

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

This repository contains:

Sigma rule specification in the Wiki
Open repository for sigma signatures in the ./rulessubfolder
Collection of converters that generate searches/queries for different SIEM systems [Pending]

Slides

See the first slide deck that I prepared for a private conference in mid January 2017.

Sigma - Make Security Monitoring Great Again

Specification

The specifications can be found in the Wiki.

The current specification can be seen as a proposal. Feedback is requested.

Next Steps

Creation of a reasonable set of sample rules
Release of the first rule converters for Elastic Search and Splunk
Integration of feedback into the rule specifications
Collecting rule input from fellow researchers and analysts
Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms