Tags_specification.md

Tags

The following document defines the standardized tags that can be used to categorize the different Sigma rules.

• Version 1.1.0
• Release date 2023-06-20

Summary

• Summary
• Namespaces
  • Namespace: attack
  • Namespace: car
  • Namespace: cve
  • Namespace: tlp
  • namespace: detection
• History

Namespaces

• attack: Categorization according to MITRE ATT&CK. To get the current supported version of ATT&CK please visite MITRE CTI
• car: Link to the corresponding MITRE Cyber Analytics Repository (CAR)
• stp: Rating of detection analytic robustness according to the MITRE Summiting the Pyramid scheme.
• tlp: Traffic Light Protocol

Namespace: attack

• t1234: Refers to a technique
• g1234: Refers to a group
• s1234: Refers to software

Tactics:

• initial_access: Initial Access
• execution: Execution
• persistence: Persistence
• privilege_escalation: Privilege Escalation
• defense_evasion: Defense Evasion
• credential_access: Credential Access
• discovery: Discovery
• lateral_movement: Lateral_Movement
• collection: Collection
• exfiltration: Exfiltration
• command_and_control: Command and Control
• impact: Impact

Namespace: car

Use the CAR tag from the analytics repository without the prepending CAR-. Example tag: car.2016-04-005.

Namespace: stp

The Summiting the Pyramid scheme created by MITRE defines two score dimensions for scoring of the robustness:

• Analytic robustness between 1 and 5.
• Event robustness as Application, User-mode and Kernel-mode in ascending order of robustness-

Details for both dimensions are defined here.

The stp namespace allows to score the robustness of the detection implemented by a Sigma rule according to this scheme. Because the event robustness depends on the event log source that is an enviromental property, Sigma allows to specify the robustness in the following ways:

• analytic-only defines just the analytic robustness in a tag like stp.4. This is usually appropriate for generic log sources like process_creation where it isn't possible to anticipate the robustness of the final log source.
• complete defines the whole score in a tag like stp.3k. Such a tag should be chosen if the detection refers to a concrete log source.

Namespace: cve

Use the CVE tag from the mitre in lower case seperated by dots. Example tag: cve.2021.44228.

Namespace: tlp

All TLP levels defined by the FIRST TLP-SIG in lower case. Example tag: tlp.amber.

namespace: detection

Use the detection tag to indicate the type of a rule. Example tag: detection.threat_hunting.

• dfir
• emerging_threats
• threat_hunting

History

• 2023-06-20 Tags V1.1.0
  • Add detection namespace
• 2022-12-19 Tags V1.0.1
  • Minor updates and tweaks
• 2022-09-18 Tags V1.0.0
  • Initial formalisation from the sigma wiki
• 2017 Sigma creation