-
Notifications
You must be signed in to change notification settings - Fork 38
/
Copy pathsigma-filters-schema.json
104 lines (104 loc) · 3.13 KB
/
sigma-filters-schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
{
"$schema": "https://json-schema.org/draft/2020-12/schema#",
"title": "Sigma Global Filter specification V2.0.0 (2024-08-08)",
"type": "object",
"required": [
"title",
"logsource",
"filter"
],
"properties": {
"title": {
"type": "string",
"maxLength": 256,
"description": "A brief title for the rule that should contain what the rules is supposed to detect"
},
"id": {
"type": "string",
"description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
"format": "uuid"
},
"description": {
"type": "string",
"description": "A short description of the rule and the malicious activity that can be detected",
"maxLength": 65535
},
"date": {
"type": "string",
"description": "Creation date of the meta filter. Use the format YYYY-MM-DD",
"pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$"
},
"modified": {
"type": "string",
"description": "Last modification date of the meta filter. Use the format YYYY-MM-DD",
"pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$"
},
"logsource": {
"type": "object",
"description": "The log source that the rule is supposed to detect malicious activity in.",
"properties": {
"category": {
"description": "Group of products, like firewall or process_creation",
"type": "string"
},
"product": {
"description": "A certain product, like windows",
"type": "string"
},
"service": {
"description": "A subset of a product's logs, like sshd",
"type": "string"
}
}
},
"filter": {
"type": "object",
"required": [
"rules",
"selection",
"condition"
],
"description": "A set of search-identifiers that represent properties of searches on log data",
"properties": {
"rules": {
"type": "array",
"description": "list of the rule where add the filter",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "string"
}
},
"selection": {
"description": "A Search Identifier: A definition that can consist of two different data structures - lists and maps.",
"anyOf": [
{
"type": "array",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "integer"
},
{
"type": "object"
}
]
}
},
{
"type": "object",
"description": "An object that contains key-value pairs representing filter conditions"
}
]
},
"condition": {
"type": "string",
"description": "The relationship between the search identifiers to create the detection logic. selection or not selection"
}
}
}
}
}