valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Generic Signature Format for SIEM Systems
47 Commits 20 Branches 25 Tags 21 MiB
Python 96.5%
Makefile 1.9%
Shell 1.6%
ce43dce7ef
Go to file
Thomas Patzke ce43dce7ef Parsing of detections 
Transformation of detections into internal data structures. Parsing must
be changed later to on-demand parsing because condition can change
default behavior of lists.
2017-02-16 00:40:08 +01:00
images New Screenshot - Suspicious Failed Logons from Single Source Workstation 2017-02-12 17:09:24 +01:00
rules Rule review and cleanup 2017-02-15 23:53:08 +01:00
tools Parsing of detections 2017-02-16 00:40:08 +01:00
_config.yml Set theme jekyll-theme-slate 2017-02-13 14:42:42 +01:00
.gitignore The poor VI(M) users with their swp's! 2017-01-11 20:44:47 +01:00
LICENSE Initial commit 2016-12-24 10:48:49 +01:00
README.md Added Sigma converter skeleton 2017-02-13 23:28:53 +01:00

README.md

sigma_logo

Sigma

Generic Signature Format for SIEM Systems

What is Sigma?

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

sigma_description

This repository contains:

  • Sigma rule specification in the Wiki
  • Open repository for sigma signatures in the ./rulessubfolder
  • A converter that generate searches/queries for different SIEM systems [in development]

Converter

The converter is written in Python 3 and requires PyYAML. Invoke it with --help for usage instructions.

Slides

See the first slide deck that I prepared for a private conference in mid January 2017.

Sigma - Make Security Monitoring Great Again

Specification

The specifications can be found in the Wiki.

The current specification can be seen as a proposal. Feedback is requested.

Examples

Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental) sigma_rule example2

Sysmon: Remote Thread Creation in LSASS Process sigma_rule example1

Web Server Access Logs: Web Shell Detection sigma_rule example3

Sysmon: Web Shell Detection sigma_rule example4

Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation sigma_rule example5

Next Steps

  • Creation of a reasonable set of sample rules
  • Release of the first rule converters for Elastic Search and Splunk
  • Integration of feedback into the rule specifications
  • Collecting rule input from fellow researchers and analysts
  • Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms