Skip to content

Instantly share code, notes, and snippets.

@calebstewart
Last active February 28, 2023 21:15
Show Gist options
  • Save calebstewart/dc16a3b3e92d6c7bb7cecde6ca544021 to your computer and use it in GitHub Desktop.
Save calebstewart/dc16a3b3e92d6c7bb7cecde6ca544021 to your computer and use it in GitHub Desktop.
Sigma JSON Schema
{
"$schema": "https://json-schema.org/draft/2019-09/schema",
"$id": "http://example.com/example.json",
"type": "object",
"title": "Sigma Rule",
"required": [
"title",
"logsource",
"detection",
"id",
"author"
],
"properties": {
"title": {
"description": "A short title for the rule displayed to the analyst",
"title": "Rule Title",
"examples": [
"BlackCat Command Arguments"
]
},
"id": {
"type": "string",
"description": "Globally Unique Rule ID",
"title": "Rule ID",
"examples": [
"f4c9b7c4-70af-4960-88fc-bd5e44a641b2"
],
"format": "uuid"
},
"related": {
"type": "array",
"title": "Related Rule References",
"description": "A list of rule IDs and associated relationship types for correlation.",
"items": {
"type": "object",
"required": [
"id",
"type"
],
"properties": {
"id": {
"type": "string",
"format": "uuid",
"title": "Associated ID",
"description": "The ID of the related rule"
},
"type": {
"type": "string",
"title": "Type of relationship with the external rule",
"enum": [
"derived",
"obsoletes",
"merged",
"renamed",
"similar"
]
}
}
},
"examples": [
[
{ "id": "ce5b8c24-fd5f-45a5-96a6-905ad450d08e", "type": "obsoletes" }
]
]
},
"status": {
"type": "string",
"default": "experimental",
"description": "Development status for the rule",
"title": "Rule Development Status",
"examples": [
"testing"
],
"enum": [
"stable",
"testing",
"experimental",
"deprecated",
"unsupported"
]
},
"description": {
"type": "string",
"description": "A longer description of the rule which provides context and details on the detection.",
"title": "Rule Description",
"examples": [
"Detects the commands used by BlackCat ransomware to specify where to propogate to and execute the ransomware."
]
},
"license": {
"type": "string",
"title": "License Identifier",
"description": "SPDX ID of the rule license",
"examples": [
"MIT"
]
},
"author": {
"type": "string",
"title": "Rule author",
"description": "Author of the rule (normally, either a name or an E-mail address)",
"examples": [
"Bill Buttlicker",
"[email protected]"
]
},
"references": {
"type": "array",
"default": [],
"title": "Reference URLs",
"description": "A list of URLs providing research or investigation instructions",
"items": {
"type": "string",
"title": "Reference URL",
"examples": [
"https://www.varonis.com/blog/blackcat-ransomware",
"https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/"
],
"format": "uri"
},
"examples": [
[
"https://www.varonis.com/blog/blackcat-ransomware",
"https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/"
]
]
},
"date": {
"type": "string",
"title": "Rule creation date",
"description": "RFC3339 full-date formatted creation",
"examples": [
"YYYY-MM-DD"
],
"format": "date"
},
"modified": {
"type": "string",
"title": "When the rule was last modified",
"description": "RFC3339 full-date formatted modification",
"examples": [
"YYYY-MM-DD"
],
"format": "date"
},
"logsource": {
"type": "object",
"title": "Log data source",
"description": "Describe the log sources which provide events for this rule.",
"properties": {
"category": {
"type": "string"
},
"product": {
"type": "string"
},
"service": {
"type": "string"
}
},
"examples": [
{
"category": "process_creation",
"product": "windows"
}
]
},
"detection": {
"type": "object",
"title": "Detection matching definition",
"required": [
"condition"
],
"properties": {
"condition": {
"type": "string",
"title": "Boolean condition expression",
"examples": [
"selection1 and (selection2 or selection3)"
]
},
"timeframe": {
"type": "string",
"title": "Aggregation timeframe",
"description": "A time frame like 24h or 15m"
}
},
"additionalProperties": {
"type": ["array", "object"],
"title": "Selection Conditions",
"description": "Selection conditions provide the field matchhing logic for the rule. A dictionary represents an 'AND' operator while an array represents an 'OR' operator. See the sigma specification for more details."
},
"examples": [{
"condition": "selector0",
"selector0": {
"process.command_line.text|all": [
"--no-prop-servers",
"--propagated"
]
}
}]
},
"fields": {
"type": "array",
"title": "Related log fields",
"description": "Log fields which may be interesting during investigation",
"items": {
"type": "string"
}
},
"level": {
"type": "string",
"title": "Criticality Level",
"description": "Describes the criticality of a signal from this rule",
"enum": [
"informational",
"low",
"medium",
"high",
"critical"
]
},
"tags": {
"type": "array",
"title": "Tags",
"items": {
"type": "string"
},
"examples": [
["attack.execution",
"attack.t1569.002",
"attack.lateral_movement",
"attack.t1021.002",
"attack.t1486",
"attack.impact"
]
]
},
"falsepositives": {
"type": "array",
"title": "Potential False Positives",
"items": {
"type": "string"
}
}
},
"examples": [{
"title": "BlackCat Command Arguments",
"id": "f4c9b7c4-70af-4960-88fc-bd5e44a641b2",
"status": "testing",
"description": "Detects the commands used by BlackCat ransomware to specify where to propogate to and execute the ransomware.",
"author": "Matt Anderson",
"references": [
"https://www.varonis.com/blog/blackcat-ransomware",
"https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/"
],
"date": "2023-02-24T00:00:00Z",
"modified": "YYYY-DD-MM",
"logsource": {
"category": "process_creation",
"product": "windows"
},
"detection": {
"condition": "selector0",
"selector0": {
"process.command_line.text|all": [
"--no-prop-servers",
"--propagated"
]
}
},
"falsepositives": [
"None"
],
"level": "critical",
"tags": [
"attack.execution",
"attack.t1569.002",
"attack.lateral_movement",
"attack.t1021.002",
"attack.t1486",
"attack.impact"
],
"kibana.alert.rule.note": [
"Check the executable used in the command and the parent process. The ransomware executable may be 1 or 2 characters long and PSEXEC should be the process executing the command to remotely execute the ransomware.",
"Check the location where the executable is located on the host for suspicious temporary locations.",
"Check Event Logs for 4624 events (successful authentication) prior to the execution of psexec to obtain the possible host and source IP address.",
"Check for the execution of fsutil, vssadmin, wmic, or reg.exe in close proximity to this command making suspicious changes or queries to the system."
]
}]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment