Generic Signature Format for SIEM Systems
What is Sigma
Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
This repository contains:
- Sigma rule specification in the Wiki
- Open repository for sigma signatures in the
- A converter that generate searches/queries for different SIEM systems [work in progress]
Hack.lu 2017 Talk
- Describe your detection method in Sigma to make it sharable
- Write and your SIEM searches in Sigma to avoid a vendor lock-in
- Share the signature in the appendix of your analysis along with IOCs and YARA rules
- Share the signature in threat intel communities - e.g. via MISP
- Provide Sigma signatures for malicious behaviour in your own application
Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.
Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.
See the first slide deck that I prepared for a private conference in mid January 2017.
The specifications can be found in the Wiki.
The current specification is a proposal. Feedback is requested.
Florian wrote a short rule creation tutorial that can help you getting started.
- Download or clone the respository
- Check the
./rulessub directory for an overview on the rule base
python sigmac --helpin folder
./toolsto get a help on the rule converter
- Convert a rule of your choice with
python sigmac -t splunk ../rules/windows/builtin/win_susp_process_creations.yml
- Convert a whole rule directory with
python sigmac -t splunk -r ../rules/proxy/
- Check the
./tools/configfolder and the wiki if you need custom field or log source mappings in your environment
Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the
Sigma library that may be used to integrate Sigma support in other projects. Further, there's
merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.
- Splunk (plainqueries and dashboards)
- ElasticSearch Query Strings
- ElasticSearch Query DSL
- Elastic X-Pack Watcher
- Windows Defender Advanced Threat Protection (WDATP)
- RSA NetWitness
- Grep with Perl-compatible regular expression support
New targets are continuously developed. You can get a list of supported targets with
sigmac --target-list or
The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.
It's available on PyPI. Install with:
pip3 install sigmatools
Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with:
pip3 install -r tools/requirements.txt
For development (e.g. execution of integration tests with
make and packaging), further dependencies are required and can be installed with:
pip3 install -r tools/requirements-devel.txt
Import Sigma rules to MISP events. Depends on PyMISP.
Parameters that aren't changed frequently (
--key) can be put without the prefixing dashes
-- into a file
and included with
@filename as parameter on the command line.
url https://host key foobarfoobarfoobarfoobarfoobarfoobarfoo
Load Sigma rule into MISP event 1234:
sigma2misp @misp.conf --event 1234 sigma_rule.py
Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to Test Event:
sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/
Evt2Sigma helps you with the rule creation. It generates a Sigma rule from a log entry.
contrib contains scripts that were contributed by the community:
sigma2elastalert.pyi by David Routin: A script that converts Sigma rules to Elastalert configurations. This tool uses sigmac and expects it in its path.
These tools are not part of the main toolchain and maintained separately by their authors.
- Integration of MITRE ATT&CK framework identifier to the rule set
- Integration into Threat Intel Exchanges
- Attempts to convince others to use the rule format in their reports, threat feeds, blog posts, threat sharing platforms
Projects that use Sigma
- MISP (since version 2.4.70, March 2017)
- TA-Sigma-Searches (Splunk App)
- SOC Prime - Sigma Rule Editor
- ypsilon - Automated Use Case Testing
- uncoder.io - Online Translator for SIEM Searches
- SPARK - Scan with Sigma rules on endpoints
The content of this repository is released under the following licenses:
- The toolchain (everything under
tools/) is licensed under the GNU Lesser General Public License.
- The Sigma specification is public domain.
- Everything else, especially the rules contained in the
rules/directory is released under the GNU General Public License.
This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.
Copyright for Tree Image: studiobarcelona / 123RF Stock Photo