-
Notifications
You must be signed in to change notification settings - Fork 61
Sigma Rule Files
Cori Smith edited this page Jun 27, 2023
·
1 revision
All about definition files: what they are and how to write them.
Sigma rule files are collections of queries in YML format that are EDR-agnostic. This allows you to write more complex queries (as compared to definition files) that can be used across different products.
Use-cases include
- Search for IOCs across all machines in an EDR platform
- Baseline environments and identify commonly used tools and any outliers
- Inventory programs based on execution history
- Test detector logic to reduce noise and tune for accuracy
- Hunt for behavior too noisy or false-positive prone to be used as automated detector logic.
Examples of these rules can be found here: https://github.com/SigmaHQ/sigma
There also many articles available on how to write these
- https://intezer.com/blog/threat-hunting/intro-to-sigma-rules/
- https://socprime.com/blog/sigma-rules-the-beginners-guide/
Note: Sigma support is determined by libraries created and maintained by the open source community
- Microsoft Defender for Endpoint https://github.com/AttackIQ/pySigma-backend-microsoft365defender
- SentinelOne Deep Visibility https://github.com/7RedViolin/pySigma-backend-sentinelone
- VMware Carbon Black EDR and VMware Carbon Black Enterprise EDR https://github.com/7RedViolin/pySigma-backend-carbonblack