Skip to content

Latest commit

 

History

History
132 lines (112 loc) · 10.5 KB

sigmahq-filename-convention.md

File metadata and controls

132 lines (112 loc) · 10.5 KB
Raw

SigmaHQ Filename Conventions

This document describe a soft convention to name rule files. The following convention has been set to help with the management of the rules files repository and is not part of the SIGMA specification.

Summary

Product

product Pattern example
modsec modsec_* modsec_mulitple_blocks.yml

Cloud

product Pattern example
aws aws_* aws_cloudtrail_disable_logging.yml
azure azure_* azure_ad_bitlocker_key_retrieval.yml
gcp gcp_* gcp_service_account_disabled_or_deleted.yml
gworkspace gworkspace_* gworkspace_role_privilege_deleted.yml
m365 microsoft365_* microsoft365_from_susp_ip_addresses.yml
okta okta_* okta_application_sign_on_policy_modified_or_deleted.yml
onelogin onelogin_* onelogin_user_account_locked.yml

Category

Category Pattern example
clipboard_capture
create_remote_thread create_remote_thread_win_* create_remote_thread_win_bumblebee.yml
create_stream_hash create_stream_hash_* create_stream_hash_ads_executable.yml
dns_query dns_query_os_* dns_query_win_mal_cobaltstrike.yml
driver_load driver_load_os_* driver_load_vuln_drivers_names.yml
file_access file_access_os_* file_access_win_browser_credential_stealing.yml
file_change file_change_os_* file_change_win_2022_timestomping.yml
file_delete file_delete_os_* file_delete_win_delete_backup_file.yml
file_event file_event_os_* file_event_macos_startup_items.yml
file_rename file_rename_os_* file_rename_win_not_dll_to_dll.yml
image_load image_load_* image_load_susp_advapi32_dll.yml
network_connection net_connection_os_* net_connection_lnx_crypto_mining_indicators.yml
pipe_created pipe_created_* pipe_created_tool_psexec.yml
ps_classic_start posh_pc_* posh_pc_downgrade_attack.yml
ps_module posh_pm_* posh_pm_get_clipboard.yml
ps_script posh_ps_* posh_ps_as_rep_roasting.yml
process_access proc_access_os_* proc_access_win_lsass_memdump.yml
process_creation proc_creation_os_* proc_creation_win_apt_apt29_thinktanks.yml
process_tampering
process_termination
raw_access_thread
registry_event registry_event_* registry_event_apt_pandemic.yml
registry_add registry_add_* registry_add_mal_ursnif.yml
registry_delete registry_delete_* registry_delete_mstsc_history_cleared.yml
registry_set registry_set_* registry_set_add_port_monitor.yml
registry_rename registry_rename_*
sysmon_error
sysmon_status
wmi_event

Category without product

Category Pattern example
dns net_dns_* net_dns_mal_cobaltstrike.yml
firewall net_firewall_* net_firewall_high_dns_requests_rate.yml
webserver web_* web_cve_2020_5902_f5_bigip.yml

Service

Linux

The naming convetion for rules using linux services is the as follows:

  • Filename must start with lnx_
  • Followed by the service name and underscore at the end service_. Example: auditd_
  • If the service name contains a dash -. For example bits-client. Then replace it with an underscore bits_client_
  • Filename must end with a .yml extension
Service Pattern example
auditd lnx_auditd_* lnx_auditd_alter_bash_profile.yml
auth lnx_auth_* lnx_auth_susp_failed_logons_single_source.yml
clamav lnx_clamav_* lnx_clamav_message.yml
cron lnx_cron_* lnx_cron_crontab_file_modification.yml
guacamole lnx_guacamole_* lnx_guacamole_session_anomaly.yml
sshd lnx_sshd_* lnx_sshd_susp_ssh.yml
sudo lnx_sudo_* lnx_sudo_cve_2019_14287_user.yml
syslog lnx_syslog_* lnx_syslog_susp_named.yml
vsftpd lnx_vsftpd_* lnx_vsftp_error_messages.yml

Windows

The naming convention for rules using windows services is the as follows:

  • Filename must start with win_
  • Followed by the service name and underscore at the end service_. Example: applocker_
  • If the service name contains a dash -. For example bits-client. Then replace it with an underscore bits_client_
  • Filename must end with a .yml extension
Service Pattern example
application ---- ---
applocker win_applocker_* win_applocker_file_was_not_allowed_to_run.yml
bits-client win_bits_client_* win_bits_client_susp_local_file.yml
codeintegrity-operational win_codeintegrity_* win_codeintegrity_attempted_dll_load.yml
diagnosis-scripted win_diagnosis_scripted_* win_diagnosis_scripted_load_remote_diagcab.yml
dns-server win_dns_server_* win_dns_server_susp_dns_config.yml
dns-server-analytic win_dns_analytic_* win_dns_analytic_apt_gallium.yml
driver-framework ---- ---
firewall-as win_firewall_as_* win_firewall_as_change_rule.yml
ldap_debug ---- ---
msexchange-management win_exchange_* win_exchange_proxylogon_oabvirtualdir.yml
ntlm ---- ---
openssh win_sshd_openssh_* win_sshd_openssh_server_listening_on_socket.yml
printservice-operational ---- ---
security win_security_* win_security_dcsync.yml
security-mitigations win_security_mitigations_* win_security_mitigations_defender_load_unsigned_dll.yml
microsoft-servicebus-client ---- ---
shell-core win_shell_core_* win_shell_core_susp_packages_installed.yml
smbclient-security ---- ---
system win_system_* win_system_ntfs_vuln_exploit.yml
taskscheduler win_taskscheduler_* win_taskscheduler_susp_task_locations.yml
terminalservices-localsessionmanager win_terminalservices_* win_terminalservices_rdp_ngrok.yml
windefend win_defender_* win_defender_amsi_trigger.yml
wmi win_wmi_* win_wmi_persistence.yml