One of the most common questions we get often from people using and leveraging Sigma rules is “how should we use Sigma rules?”. Sigma offers more than 3000 rules with different maturity and severity levels, described by the status and level fields respectively.
Today we’re happy to announce that SigmaHQ main rule repository will be providing on a bi-weekly basis pre-defined rule packages. The aim is to make it easy for new and seasoned users of Sigma rules to ingest these rules and more importantly use the rules as they were meant to be used with a set level of expectation regarding false positives appetite and maturity.
Without further ado let us dive into how these packages are structured and what’s the aim with each one.
Introduction
The rule packages provided with every release are split based on the status, level and type of a sigma rule.
There are currently 3 main rule types provided in the sigma repository:
- Core/Generic: Rules that match on attacker techniques. These rules are timeless and often match on new threats.
- Emerging-Threats/ET: Rules that match on patterns of specific threat actors or exploits. High signal to noise ratio but will decrease in relevance over time.
- Threat-Hunting/TH: Rules that should not be run for alerting but are interesting in giving detection ideas or hunt for suspicious activity inside an environment.
Packages Overview
Before we delve into the details, here is a general overview for those who are already familiar with sigma.
±-----------------------------±------------------------------±-----------------------±-----------------------+
| name | status | level | type |
±-----------------------------±------------------------------±-----------------------±-----------------------+
| Core (Default) | testing, stable | high, critical | core |
| Core+ (Rule Review needed) | testing, stable | medium, high, critical | core |
| Core++ (Experimental) | experimental, testing, stable | medium, high, critical | core |
| Emerging Threats AddOn Rules | experimental, testing, stable | medium, high, critical | emerging threats |
| All rules | experimental, testing, stable | medium, high, critical | core, emerging threats |
±-----------------------------±------------------------------±-----------------------±-----------------------+
If you’re just getting started, it’s best to start with the Core Sigma package. It includes high quality rules of high confidence and relevance and should not produce many false positives.
If your setup is working fine, you can add the emerging threats rules and start thinking about upgrading to Core+ rules. If that is not enough and you like the pain, use the “all” rules package.
Package Types
Core Rules
The Core Sigma package includes high quality rules of high confidence and relevance and should not produce many false positives.
The selected rules are of level high or critical, which means matches are of high or critical importance. The rule status is testing or stable, which means the rule is at least of an age of half a year and no false positives were reported on it.
The type is core, meaning the rules will match on attacker technique and generic suspicious or malicious behavior.
Core+ Rules
The plus in the Core+ Sigma package stands for the addition of medium level rules. Those rules most often need additional tuning as certain applications, legitimate user behavior or scripts of an organization might be matched. Not every medium level rule is useful in every organization. Expect the need to tune or disable rules as you see fit.
Core++ Rules
The Core++ package additionally includes the rules of experimental status. These rules are bleeding edge. They are validated against the Goodlog tests available to the SigmaHQ project and reviewed by multiple detection engineers. Other than that they are pretty much untested at first. Use these if you want to be able to detect threats as early as possible at the cost of managing a higher threshold of false positives.
Please report any false positives you find via our github issue tracker. After a grace period all experimental rules will eventually be promoted to status test.
Package Add-Ons
ET (Emerging Threats) AddOn Rules
The ET AddOn Sigma package contains all of the emerging threats rules. These rules have a low false positive rate so that it already contains rules of status experimental. These rules target specific threats and are especially useful for current threats where maybe not much information is yet available. So we want to get them to you as fast as possible. The package is an AddOn so you can use it on top of whichever Core package is most useful to you.
All Rules Package
This package includes all rules from level medium with a status of experimental and upwards including the emerging threats rules. Some heavy tuning is required when using this package.
You’ll notice that rules of level low and some other rules are omitted even from this All Rules Packages. We do not recommend using any other types of rules to generate alerts except for those provided in these packages.
Creating Custom Rule Packages
The packages are being generated by a script executed by a GitHub workflow. If you would like to create your own custom package, you can checkout any release version (i.e. tags starting with ‘r’) and use the sigma-package-release script. Define the status, level , and type of rules and the script generates a ZIP archive containing only those rules.
python3 tests/sigma-package-release.py - min-status testing - levels high critical - types generic - outfile Sigma-custom.zip
You can either give level and status as a space separated list or using a minimum value. See --help for all options
Changelog
With the introduction of these release packages we wanted to also highlight the many changes that occur to the different Sigma rules from false positives tuning to logic and coverage enhancements. For this, every release will be accompanied by a changelog indicating the updates that occurred during that period.
The following prefix conventions will be used to describe the different types of changes
- new: — Indicates a new rule.
- update: — Indicates an update to the rules. Can be a logic or a metadata update.
- fix: — Indicates a false positives tuning with the rules or less often a logic fix with the rule itself.
Every release will also be accompanied by a blog highlighting the most interesting changes made in that release. So follow this blog for constant updates :)
Contributors Highlights
Last but not least, with these releases we also wanted to highlight the many contributions of the community. For this every contributor that opens a PR to add, update or fix a rule will be mentioned .
Conclusion
Release packages are but another step in our journey to make the Sigma project more mature and easily usable.
If you’re interested in regular updates on the Sigma project, please be sure to follow and subscribe to this publication and follow @sigma_hq on Twitter.
Introducing Sigma Rule Packages & Releases was originally published in Sigma_HQ on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: Introducing Sigma Rule Packages & Releases | by Nasreddine Bencherchali | Sigma_HQ | Oct, 2023 | Medium