/sigma

Generic Signature Format for SIEM Systems

Primary LanguagePythonOtherNOASSERTION

sigma build status

sigma_logo

Sigma

Generic Signature Format for SIEM Systems

What is Sigma

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what Snort is for network traffic and YARA is for files.

This repository contains:

  1. Sigma rule specification in the Sigma-Specification repository
  2. Open repository for sigma signatures in the ./rules subfolder

sigma_description

Hack.lu 2017 Talk

Sigma - Generic Signatures for Log Events

SANS Webcast on MITRE ATT&CK® and Sigma

The SANS webcast on Sigma contains a very good 20 min introduction to the project by John Hubbart from minute 39 onward. (SANS account required; registration is free)

MITRE ATT&CK® and Sigma Alerting Webcast Recording

Use Cases

  • Describe your detection method in Sigma to make it shareable
  • Write your SIEM searches in Sigma to avoid a vendor lock-in
  • Share the signature in the appendix of your analysis along with IOCs and YARA rules
  • Share the signature in threat intel communities - e.g. via MISP
  • Provide Sigma signatures for malicious behaviour in your own application

Why Sigma

Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.

Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.

Slides

See the first slide deck that I prepared for a private conference in mid January 2017.

Sigma - Make Security Monitoring Great Again

Specification

The specifications can be found in the Sigma-Specification repository.

The current specification is a proposal. Feedback is requested.

Getting Started

Rule Creation

Florian wrote a short rule creation tutorial that can help you getting started. Use the Rule Creation Guide in our Wiki for a clear guidance on how to populate the various field in Sigma rules.

Rule Usage

  • Use Sigma CLI to convert your rules into queries.
  • Use pySigma to integrate Sigma in your own toolchain or product.
  • Check out the legacy sigmatools and sigmac if your target query language is not yet supported by the new toolchain. Please be aware that the legacy sigmatools are not maintained anymore and some of the backends don't generate correct queries.

Examples

Windows 'Security' Eventlog: Access to LSASS Process with Certain Access Mask / Object Type (experimental) sigma_rule example2

Sysmon: Remote Thread Creation in LSASS Process sigma_rule example1

Web Server Access Logs: Web Shell Detection sigma_rule example3

Sysmon: Web Shell Detection sigma_rule example4

Windows 'Security' Eventlog: Suspicious Number of Failed Logons from a Single Source Workstation sigma_rule example5

Projects or Products that use Sigma

Sigma is available in some Linux distribution repositories:

Packaging status

Contribution

If you want to contribute, you are more then welcome. There are numerous ways to help this project.

Use it and provide feedback

If you use it, let us know what works and what does not work.

E.g.

  • Tell us about false positives (issues section)
  • Try to provide an improved rule (new filter) via pull request on that rule

In order to enhance or fix some issues with a specific PR we might ask the author for some additional input. In such cases, the PR will be tagged with "Author Input Required". If the author of the PR does not respond in a timely manner the PR will automatically be closed after 1 month of inactivity.

Work on open issues

The github issue tracker is a good place to start tackling some issues others raised to the project. It could be as easy as a review of the documentation.

Provide Backends / Backend Features / Bugfixes

Please don't provide backends for the old code base (sigmac) anymore. Please use the new pySigma. We are working on a documentation on how to write new backends for that new code base. An example backend for Splunk can be found here.

Spread the word

Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it.

Licenses

The content of this repository is released under the following licenses:

Credits

This is a private project mainly developed by Florian Roth and Thomas Patzke with feedback from many fellow analysts and friends. Rules are our own or have been drived from blog posts, tweets or other public sources that are referenced in the rules.

Info Graphic

Overview

sigmac_info_graphic

Coverage Illustration

sigmac_coverage