SigmaHQ
Changelog: add guid's?
Hi, we are starting to use the sigma rules, they are great. But we need to manually curate our own local library and keeping track of the changes is a bit difficult. Is it possible to somehow add the guid's of the changed/new rules to the changelog? This would make the process of updating the rules much easier.
Welcome @sandervandegeijn :wave:
It looks like this is your first issue on the Sigma rules repository!
The following repository accepts issues related to false positives or 'rule ideas'.
If you're reporting an issue related to the pySigma library please consider submitting it here
If you're reporting an issue related to the deprecated sigmac library please consider submitting it here
Thanks for taking the time to open this issue, and welcome to the Sigma community! :smiley:
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey @sandervandegeijn thanks for the suggestions. Adding the UUIDs should be easy enough. We will look into this and report back,
@phantinuss looping you here for discussion.
Since we currently do the merge manually we are copying titles. What do you think about the idea of us putting UUIDs instead and then resolving them at release time. That way we can get both and a more accurate / machine readable release note?
I was thinking about what to do best several times so I am very happy to get feedback of a user about it.
I'll work on a version that includes the UUID and see what I can do to keep the Changelog readable while providing that information. Do you have an automated workflow for parsing the changelog or is it done manually @sandervandegeijn ? If automated it would help to get some more information on what an ideal interface for you might look like. Or what requirements you see that would help you.
Because I also was thinking about not adding the UUIDs to the changelog text on Github but maybe providing a JSON changelog file as part of the release package(s).
Hm that's a valid point, human readability is important. A separate JSON would work fine! I'll try to explain our workflow.
Okay, we have a custom detection engine that's using the python sigma framework as the basis for translations. In this engine we have a bunch (and increasing number) of sigma rules. But there might be bug fixes on these rules. Rules might get deleted over time because they have lost their usefulness. And of course there are new rules.
With each new sigma release I'd like to be able to script this out to see
- What we should delete
- What we should update (manual process)
- What's new and should be added
Scripting this would be quite doable if we had a structured file with enough metadata as a changelog and can hold that against our current baseline. This would save a lot of manual labor although we need to vet and test the changes in the rule set (because we might need filtering not to overwhelm the SOC, this is context dependent).
Would something like this work? Any info that you would like to see that's missing?
{
"7f6a4760-ab59-4f4c-bb72-6b8864901ea0": {
"title": "Suspicious Something Executed",
"change_type": "new",
"change_reason": "",
"authors": ["jdoe"],
"merge_date": "2025-12-01"
},
"18ddc704-28ad-49d9-8dd9-8e61eb25d2bc": {
"title": "DNS Exfiltration",
"change_type": "update",
"change_reason": "improved selection",
"authors": ["nasbench", "frack"],
"merge_date": "2025-12-02"
}
}