SigmaHQ
Make id attribute required for each rule
Issue: Need convenient way to have a permanent identifier for each rule to track changes to that rule.
Various vendors may standardize the Title name or logic of the rule after converting to their SIEM's format. Doing this makes it difficult to track future updates to the sigma rule, as the vendor has changed some attributes slightly on conversion.
Also SIGMA team regularly renames rule file names (folder structure / title / etc). We should have some consistent value to track the history of this rule programmatically. If you rename a file, and change the title, it is not cleanly apparent if you deleted the original rule or just renamed it and moved it around.
When sigma rules are generated, each should have a unique generated id that is required to persist for the life of the rule.
Thoughts?
Hello,
There is the id
It is recommended but not mandatory.
BUT
In the SigmaHQ github to pass the test you must have one unique test_missing_id.
Link between rule are in related section :
- derived: Rule was derived from the referred rule or rules, which may remain active.
- obsoletes: Rule obsoletes the referred rule or rules, which aren't used anymore.
- merged: Rule was merged from the referred rules. The rules may be still existing and in use.
- renamed: The rule had previously the referred identifier or identifiers but was renamed for any other reason, e.g. from a private naming scheme to UUIDs, to resolve collisions etc. It's not expected that a rule with this id exists anymore.
- similar: Use to relate similar rules to each other (e.g. same detection content applied to different log sources, rule that is a modified version of another rule with a different level)
There is no keeping trace of remove rule.
