The following document defines the standardized tags that can be used to categorize the different Sigma rules.
- Version 1.1.0
- Release date 2023-06-20
- attack: Categorization according to MITRE ATT&CK. To get the current supported version of ATT&CK please visite MITRE CTI
- car: Link to the corresponding MITRE Cyber Analytics Repository (CAR)
- stp: Rating of detection analytic robustness according to the MITRE Summiting the Pyramid scheme.
- tlp: Traffic Light Protocol
Tactics:
- initial_access: Initial Access
- execution: Execution
- persistence: Persistence
- privilege_escalation: Privilege Escalation
- defense_evasion: Defense Evasion
- credential_access: Credential Access
- discovery: Discovery
- lateral_movement: Lateral_Movement
- collection: Collection
- exfiltration: Exfiltration
- command_and_control: Command and Control
- impact: Impact
Use the CAR tag from the analytics repository without the prepending CAR-
. Example
tag: car.2016-04-005
.
The Summiting the Pyramid scheme created by MITRE defines two score dimensions for scoring of the robustness:
- Analytic robustness between 1 and 5.
- Event robustness as Application, User-mode and Kernel-mode in ascending order of robustness-
Details for both dimensions are defined here.
The stp namespace allows to score the robustness of the detection implemented by a Sigma rule according to this scheme. Because the event robustness depends on the event log source that is an enviromental property, Sigma allows to specify the robustness in the following ways:
- analytic-only defines just the analytic robustness in a tag like
stp.4
. This is usually appropriate for generic log sources like process_creation where it isn't possible to anticipate the robustness of the final log source. - complete defines the whole score in a tag like
stp.3k
. Such a tag should be chosen if the detection refers to a concrete log source.
Use the CVE tag from the mitre in lower case seperated by dots. Example tag: cve.2021.44228
.
All TLP levels defined by the FIRST TLP-SIG in lower case. Example tag: tlp.amber
.
Use the detection tag to indicate the type of a rule. Example tag: detection.threat_hunting
.
- dfir
- emerging_threats
- threat_hunting
- 2023-06-20 Tags V1.1.0
- Add detection namespace
- 2022-12-19 Tags V1.0.1
- Minor updates and tweaks
- 2022-09-18 Tags V1.0.0
- Initial formalisation from the sigma wiki
- 2017 Sigma creation