The SigmaHQ team is pleased to announce the latest update to the Sigma specification, the long awaited version 2.0 is now available for all Sigma users and creators. This release marks an important milestone for the Sigma project, it introduces new features as well as many enhancements.
Let’s dive into the motivation behind v2.0 and some of the biggest changes introduced.
Motivation Behind v2.0
Since its inception, Sigma has always strived to be as user-friendly as possible while maintaining an expandable feature set. Over the years, both the vision of the project and the needs of its users have grown, necessitating the project’s evolution. This led to the creation of pySigma, a complete rewrite of the sigmac library, which introduced many new features and enhancements. Consequently, the specification had to evolve as well, resulting in the release of v2.0, an exciting milestone full of new ideas, features and enhancements.
Breaking Changes
As with any major version, some breaking changes are to be expected. Fortunately for Sigma users, there aren’t many to note here. You can check out a list of the important differences between v1 and v2 of the specs here.
New Set of Fields and Modifiers
In our continuous efforts to improve the Sigma rule format, we’ve added a bunch of new metadata fields and modifiers to allow users more flexibility and easier ways to write, enrich and effectively share/integrate their detection rules.
Check out the Sigma Rule Specification and the accompanying Sigma Modifiers Appendix for the full list and details.
New and Enhanced Correlation Specification
Sigma introduced the concept of correlation (aggregation) early in its development of the now deprecated (EOL) sigmac library. While the aggregation expression was fine at the time, it never really was designed to be easily extended, but with the introduction of pySigma a full re-write of the sigma library, we took the time to create a dedicated specification for correlation rules that not only enhances the expression of writing correlation rules for users, it is also easily extensible for future use cases.
Check out the recent Introducing Sigma Correlations blog to get a small taste and the Sigma Correlation Rules Specification for full details.
Sigma Filters a New Frontier
Recently we announced the release of a new feature called Sigma Filters that allows for the creation of dedicated sigma filter rules that acts as centralized false positive exclusions for detection rules.
A dedicated specification has been created for this feature that you can check out here.
New JSON Schemata
In our efforts to provide a better structure for the Sigma project and ease automation efforts to validate Sigma rules against the specification, JSON schemata files are being added for all currently available specification documents. You can check them here.
New Repository Structure and Faster Release Cycle
In addition to this release, we took the time to update the Sigma Specification repository structure to reflect this new milestone. This restructuring will allows us to be more efficient, and improve our release cycle.
https://github.com/SigmaHQ/sigma-specificationHelp Shape the Future of the Sigma Standard
Additional enhancements are already in the works so stay tuned. If you want to shape the future of the Sigma standard, join the discussion and start contributing today to the specification.
Introducing Sigma Specification v2.0 was originally published in Sigma_HQ on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: Introducing Sigma Specification v2.0 | by Nasreddine Bencherchali | Aug, 2024 | Sigma_HQ