sigma
sigma copied to clipboard
SigmaHQ
Main Sigma Rule Repository
Wondering if there are any constraints with the Sigma rules, example if its a process based rule focusing on parent and child processes and their command lines and other attributes,...
Example Rule: ```yaml detection: selection: field|contains: '\*' condition: selection ``` Becomes (elastic): `field.keyword:*\*` Should be (elastic): `field.keyword:*\**` Appears in splunk, qradar, etc backends as well.
It would be better if there was support for _distinct_count_ aggregation which is required for certain UseCases. One example is detecting a burst of DNS requests in a small timeframe...
Hi the community, With Kibana and Elastic SIEM, you can create rules with Threshold. When i do: ``` ./sigmac -t es-rule --filter condition!=near -I -c config/generic/sysmon.yml -c config/winlogbeat-modules-enabled.yml --backend-config backend.yml...
Someone should map publicly available EVTX samples to Sigma rules. This would enable us to automatically test the correctness of generated queries. Known security-related EVTX repositories: * https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES * https://github.com/Cyb3rWard0g/mordor...
Hi all, I am new to creating sigma rules, please help in making the sigma rules for the file attached. [sigma.txt](https://github.com/SigmaHQ/sigma/files/6530218/sigma.txt)
I think the watcher aggregations output is incorrect for the count distinct case. Though I'm not sure if it's in a general case or just in this scenario. I could...
FYI: Codebase and documentation not in compliance with MITRE ATT&CK® legal trademark requirements
Have a look at the legal section on "How should I reference the name ATT&CK?" https://attack.mitre.org/resources/faq/ ``` Both MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. *...
Zeek and Suricata generate overlapping datasets, specifically around protocol analysis. I would recommend that we look at creating some generic log sources focused on the overlapping protocol analysis fields. A...
Hi, I have a problem with regex, I need to detect the execution of a malware from a directory with random characters. Trying to find a manual that defines how...
