sigma-specification icon indicating copy to clipboard operation
sigma-specification copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

Reference to other rules in the condition of a detection

Open thomaspatzke opened this issue 2 years ago • 1 comments

Discussed in https://github.com/SigmaHQ/sigma-specification/discussions/6

Idea: add a correlation type that allows to inject/include detections from one rule to another and use them from there. This would be quite useful for false positive handling, generic rule parts and possibly other use cases typically encountered in integration of Sigma into an existing detection environment.

thomaspatzke avatar Oct 16 '22 08:10 thomaspatzke

This would form a graph - links between rules and the data types [and properties] within them - that would be useful for many reasons. This is something many companies working in cybersecurity are working on, it would make sense to pool resources.

rjurney avatar Apr 01 '23 23:04 rjurney