SigmaHQ
Proposed changes in Rule Creation Guide Wiki Page
Aka this page Sorry to do it this way, github does not seem to support PRs to the wiki git repo.
- Remove the adjective optional about the ID field. The existing tests make it mandatory to have it.
- Change the paragraph about status to:
Every new rule has the status of
experimental. It gets the statusstableafter months of productive use and without any false positives; or positive feedback from the community.
- Add a paragraph How to test your rules e.g.
Testing your rule can be done using
make test-rulescommand that will run multiple checks and highlight errors based on test use-cases.
- --> the specification states id as optional. They are mandatory in the SigmaHQ rules repository, though. There are other optional fields (e.g. status) that are mandatory if you want to publish your rule in SigmaHQ. In my opinion it makes sense that the specification is not too restrictive but that meta fields that help in organizing a big rule base are mandatory in the community.
Yes, it's exactly as @phantinuss said...we made it mandatory in the repository to have a certain level of rule hygiene, but private repositories might decide otherwise. Anyways, I would add a recommendation to use it, as it's always a good idea to keep rules organized.
Hi,
Just wanted to update this with some of the changes that were introduced.
- The new repository of SIGMA-Specification is the go-to way about certain fields and in there it's explained in more detail on how the status field behaves. See here
- As for the fields that are required on SigmaHQ but on the specs. A convention document was created and is reflecting on this very nature. See here
- As for the last part about testing the rules. It'll be added later :)
Thanks.
