Join the Webinar | Strong Protection Against Cyber Threats

Sigma history and what is sigma?

Sigma; It was a joint effort by Florian Roth and Thomas Patzke and was released by Florian Roth in 2017. It helps us easily identify the log events we have. It has its own format. Thanks to this format, it is a popular rule definition because it can be applied to all logs.

There was a need to transform a single use case for the SIEM or centralized logging platform available for SOCs around the world. Fortunately, the Sigma Rules serve as a solid format for analysts to translate the rules into the platform of their choice. The biggest aim of the project is; is to identify new aggressive behaviors and share the detected behaviors between researchers and intelligence.

Sigma rules can launch a search query specific to SIEM solutions. The solutions it supports are listed below:

· Splunk

· ElasticSearch Query Strings and DSL

· Kibana

· Microsoft Defender Advanced Threat Protection (MDATP)

· Azure Sentinel

· QRadar

· LogPoint

· Qualys

· RSA NetWitness

· LimaCharlie

· ArcSight

· PowerShell and Grep


Sigma rules are similar to YARA and Snort rules. Daily logs are to Sigma what Snort network traffic is to YARA files. Sigma supports the following log types:

· Firewall logs

· Web application logs

· Proxy/VPN logs

Operating system logs

Ø Event logs

Ø Audit logs

Ø Sysmon Events


! Sysmon allows us to monitor the processes occurring on our computer. Suspicious behavior is detected by Sysmon and recorded in Event logs.

Github link to access the Sigma file:

Sigma Rule Structure

When creating Sigma rules, we need to write rules under certain headings. These topics are indicated in the image below:

· Title: The name of the rule is written.

· ID: The UUID Value determined to make the rule unique.

· Status: Specifies the status of the rule (experimental, normal)

· Description: Explains why the rule was written.

· Author: It contains information about the person who wrote the rule.

· Date: Rule creation date

· Modified: Date the rule was changed, new changes made

· logsource: This is the section that contains information such as where the rule comes from, log sources, and the platform on which it will be found. It can take more than one subparameter.

HE Category: Indicates which category the rule belongs to.

HE Product: Written to indicate if it was taken from a product (such as Apache, Windows).

HE Service: Explains which services were used to create the rule.

· Detection: It is the part that enables the detection of the indicators in our rule and the production of logs in the vehicles.

HE Keywords: The indicators for which the alarm will be generated, that is, the keywords suitable for the purpose of writing the rule, are shown in quotation marks in this section.

HE Condition: The conditional sentences used for the rule are written here.

· falsepositives: This is the description field that explains what events or situations could trigger this rule, resulting in a false positive.

· Level: This is the section where the criticality level of the rule is written.

What is YAML Format and Visual Studio + How to Install It?

YAML is a language that can perform data serialization and is generally used in file structuring. Since YAML has wide data types, it can be used in common with all programming languages. Thanks to its easy-to-read, flexible and expandable structure, it is intended to be used as an alternative to more complex languages such as XML and JSON.

Visual Studio Code is a source code editor developed by Microsoft for operating systems such as Windows, MacOS and Linux, which can perform operations such as debugging, code completion and embedded GIT control.

Step 1: We enable the YAML format via Visual Studio Code.

Step 2: We integrate the Sigma file we downloaded from Github account into the application.

Step 3: We have accessed the rules written in our integrated Sigma file.

Writing a sample rule

After understanding the logic of Sigma Rules, we move on to creating sample rules.

Example:Sitemap.xml Example

The first stage when performing a penetration test is the information gathering phase. At this stage, when we add '/sitemap.xml' to the end of the target Url section, it gives various information about the URL to which the website is linked, such as when they were updated, how important they are, and whether the URL was created in other languages. This method is important in the information gathering phase.

In this example, an alert is generated when the URL part of our system is scanned with Sitemap.xml. In this way, we obtain information about a user who is in the process of collecting information.

Sigmac Usage +Sample application

Sigmac is a tool that tests the sigma rule structure we have created and adapts it to platforms.

Step 1: We download kali linux by typing the github path using the wget command, which downloads from HTTP, HTTPS and FTP protocols.

Step 2: We extract the file we downloaded to Kali Linux from the zip file using the unzip command via the terminal.

Step 3: With Sigmac, a tool of Sigma, we can convert the rules we write to suit the platforms. We can access sigmac usage using python3 which is required as follows.

There are multiple methods of Sigma rule conversion. We will see two different conversion tools here.

We converted the rules we wrote into splunk format using the Sigmac tool and the Uncoder.IO site.

Single Rule Conversion

The SIEM solution to be converted, that is, the target output format, is selected with the -t parameter. After adding its configuration with the -c parameter, we specify the path of the rule.

  • Splunk format that we converted using the sigmac tool of the sitemap.xml example we created at low level;

We also perform the same conversion via Uncoder.IO, a free tool used for SIEM language conversion of SOC Prime.

Uncoder.IO output

  • Ruleset Conversion

The -I parameter is used to prevent backend errors from being displayed during the rule set conversion process. In the rule set conversion, we can see all the rules by selecting the path to the folder where the rules are located.

  • High and Critical Rule Conversion

A filtering process takes place here. When filtered as 'level≥ high' using the -f parameter, it shows the rules whose level is high and above.


Sigma github source:











Categories Articles