MCPcopy Index your code
hub / github.com/SigmaHQ/sigma

github.com/SigmaHQ/sigma @0.22

repository ↗ · DeepWiki ↗ · release 0.22 ↗ · + Follow
1,093 symbols 3,406 edges 93 files 284 documented · 26% 6 cross-repo links
README

sigma build status

sigma_logo

Sigma

Generic Signature Format for SIEM Systems

What is Sigma

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what Snort is for network traffic and YARA is for files.

This repository contains:

  1. Sigma rule specification in the Wiki
  2. Open repository for sigma signatures in the ./rules subfolder
  3. A converter named sigmac located in the ./tools/ sub folder that generates search queries for different SIEM systems from Sigma rules

sigma_description

Hack.lu 2017 Talk

Sigma - Generic Signatures for Log Events

SANS Webcast on MITRE ATT&CK® and Sigma

The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)

MITRE ATT&CK® and Sigma Alerting Webcast Recording

Use Cases

  • Describe your detection method in Sigma to make it shareable
  • Write your SIEM searches in Sigma to avoid a vendor lock-in
  • Share the signature in the appendix of your analysis along with IOCs and YARA rules
  • Share the signature in threat intel communities - e.g. via MISP
  • Provide Sigma signatures for malicious behaviour in your own application

Why Sigma

Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.

Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.

Slides

See the first slide deck that I prepared for a private conference in mid January 2017.

Sigma - Make Security Monitoring Great Again

Specification

The specifications can be found in the Wiki.

The current specification is a proposal. Feedback is requested.

Getting Started

Rule Creation

Florian wrote a short rule creation tutorial that can help you getting started. Use the Rule Creation Guide in our Wiki for a clear guidance on how to populate the various field in Sigma rules.

Rule Usage

  1. Download or clone the repository
  2. Check the ./rules sub directory for an overview on the rule base
  3. Run python sigmac --help in folder ./tools to get a help on the rule converter
  4. Convert a rule of your choice with sigmac like ./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/proc_creation_win_susp_whoami.yml
  5. Convert a whole rule directory with python sigmac -t splunk -r ../rules/proxy/
  6. Check the ./tools/config folder and the wiki if you need custom field or log source mappings in your environment

Troubles / Troubleshooting / Help

If you need help for a specific supported backend you can use e.g. sigmac --backend-help elastalert-dsl. More details on the usage of sigmac can be found in the dedicated README.md.

Be sure to checkout the guidance on backend specific settings for sigmac.

Examples

Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental) sigma_rule example2

Sysmon: Remote Thread Creation in LSASS Process sigma_rule example1

Web Server Access Logs: Web Shell Detection sigma_rule example3

Sysmon: Web Shell Detection sigma_rule example4

Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation sigma_rule example5

Sigma Tools

Sigmac

Sigmac converts sigma rules into queries or inputs of the supported targets listed below. It acts as a frontend to the Sigma library that may be used to integrate Sigma support in other projects. Further, there's merge_sigma.py which merges multiple YAML documents of a Sigma rule collection into simple Sigma rules.

WARNING: Do not provide conversion backends for this tool anymore. We'll soon set a date for its deprecation. Since October 2020, we're working on a much more flexible and stable module named pySigma and a command line interface named sigma-cli that makes use of pySigma.

Usage

usage: sigmac [-h] [--recurse] [--filter FILTER]
              [--target {sqlite,netwitness-epl,logpoint,graylog,netwitness,arcsight,carbonblack,es-rule,ala,elastalert-dsl,splunkxml,fieldlist,sysmon,arcsight-esm,kibana,csharp,qualys,powershell,es-qs,mdatp,humio,grep,qradar,logiq,sql,sumologic,ala-rule,limacharlie,elastalert,splunk,stix,xpack-watcher,crowdstrike,es-dsl,ee-outliers}]
              [--target-list] [--config CONFIG] [--output OUTPUT]
              [--backend-option BACKEND_OPTION] [--defer-abort]
              [--ignore-backend-errors] [--verbose] [--debug]
              [inputs [inputs ...]]

Convert Sigma rules into SIEM signatures.

positional arguments:
  inputs                Sigma input files ('-' for stdin)

optional arguments:
  -h, --help            show this help message and exit
  --recurse, -r         Use directory as input (recurse into subdirectories is
                        not implemented yet)
  --filter FILTER, -f FILTER
                        Define comma-separated filters that must match (AND-
                        linked) to rule to be processed. Valid filters:
                        level<=x, level>=x, level=x, status=y, logsource=z,
                        tag=t. x is one of: low, medium, high, critical. y is
                        one of: experimental, testing, stable. z is a word
                        appearing in an arbitrary log source attribute. t is a
                        tag that must appear in the rules tag list, case-
                        insensitive matching. Multiple log source
                        specifications are AND linked.
  --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}
                        Output target format
  --target-list, -l     List available output target formats
  --config CONFIG, -c CONFIG
                        Configurations with field name and index mapping for
                        target environment. Multiple configurations are merged
                        into one. Last config is authoritative in case of
                        conflicts.
  --output OUTPUT, -o OUTPUT
                        Output file or filename prefix if multiple files are
                        generated
  --backend-option BACKEND_OPTION, -O BACKEND_OPTION
                        Options and switches that are passed to the backend
  --defer-abort, -d     Don't abort on parse or conversion errors, proceed
                        with next rule. The exit code from the last error is
                        returned
  --ignore-backend-errors, -I
                        Only return error codes for parse errors and ignore
                        errors for rules that cause backend errors. Useful,
                        when you want to get as much queries as possible.
  --verbose, -v         Be verbose
  --debug, -D           Debugging output

Examples

Single Rule Translation

Translate a single rule

tools/sigmac -t splunk -c splunk-windows rules/windows/sysmon/sysmon_susp_image_load.yml

Rule Set Translation

Translate a whole rule directory and ignore backend errors (-I) in rule conversion for the selected backend (-t splunk)

tools/sigmac -I -t splunk -c splunk-windows -r rules/windows/sysmon/

Translate Only Rules of Level High or Critical

Translate a whole rule directory and ignore backend errors (-I) in rule conversion for the selected backend (-t splunk) and select only rules of level high and critical

tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/

Rule Set Translation with Custom Config

Apply your own config file (-c ~/my-elk-winlogbeat.yml) during conversion, which can contain you custom field and source mappings

tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon

Generic Rule Set Translation

Use a config file for process_creation rules (-r rules/windows/process_creation) that instructs sigmac to create queries for a Sysmon log source (-c tools/config/generic/sysmon.yml) and the ElasticSearch target backend (-t es-qs)

tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation

Generic Rule Set Translation with Custom Config

Use a config file for a single process_creation rule (./rules/windows/process_creation/win_susp_outlook.yml) that instructs sigmac to create queries for process creation events generated in the Windows Security Eventlog (-c tools/config/generic/windows-audit.yml) and a Splunk target backend (-t splunk)

tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/windows-audit.yml ./rules/windows/process_creation/win_susp_outlook.yml

(See @blubbfiction's blog post for more information)

Supported Targets

New targets are continuously developed. You can get a list of supported targets with sigmac --lists or sigmac -l.

Requirements

The usage of Sigmac (the Sigma Rule Converter) or the underlying library requires Python >= 3.5 and PyYAML.

Installation

It's available on PyPI. Install with:

pip3 install sigmatools

Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with Pipenv. Run the following command to get a shell with the installed requirements:

pipenv shell

For development (e.g. execution of integration tests with make and packaging), further dependencies are required and can be installed with:

pipenv install --dev
pipenv shell

Sigma2MISP

Import Sigma rules to MISP events. Depends

Core symbols most depended-on inside this repo

append
called by 357
tools/sigma/config/mapping.py
get
called by 237
tools/sigma/config/collection.py
generateNode
called by 103
tools/sigma/backends/base.py
add
called by 54
tools/sigma/parser/condition.py
applyOverrides
called by 41
tools/sigma/backends/base.py
update
called by 36
tools/sigma/config/collection.py
cleanValue
called by 35
tools/sigma/backends/sql.py
match
called by 25
tools/sigma/filter.py

Shape

Method 845
Class 150
Function 98

Languages

Python100%

Modules by API surface

tools/sigma/backends/elasticsearch.py93 symbols
tools/sigma/parser/condition.py58 symbols
tests/test_rules.py48 symbols
tools/sigma/backends/opensearch.py46 symbols
tools/sigma/backends/fortisiem.py46 symbols
tools/sigma/backends/base.py42 symbols
tools/sigma/backends/lacework.py37 symbols
tools/sigma/backends/uberagent.py32 symbols
tools/sigma/backends/ala.py29 symbols
tools/sigma/backends/sumologic.py28 symbols
tools/sigma/config/mapping.py22 symbols
tools/sigma/backends/hawk.py22 symbols

For agents

$ claude mcp add sigma \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact