🕰️Sigma
Sigma is an open-source generic signature language developed by Florian Roth & Thomas Patzke to describe log events in a structured format. This allows for quick sharing of detection methods by security analysts.
Sigma rules are written in YAML Ain't Markup Language (YAML), a data serialisation language that is human-readable and useful for managing data.
Sigma Syntax
Status: Describes the stage in which the rule maturity is at while in use. There are five declared statuses that you can use:
Stable: The rule may be used in production environments and dashboards.
Test: Trials are being done to the rule and could require fine-tuning.
Experimental: The rule is very generic and is being tested. It could lead to false results, be noisy, and identify interesting events.
Deprecated: The rule has been replaced and would no longer yield accurate results. The
related
field is used to create associations between the current rule and one that has been deprecated.Unsupported: The rule is not usable in its current state (unique correlation log, homemade fields).
Last updated