Sigma Meta Rules
Sigma Meta rules are an extension of the Sigma detection format. They allow for the definition of more advanced detection techniques, such as correlations and filters.
Defining Meta Rules
Meta rules are defined in the same way as Sigma rules, but with a few special reserved words used in place of detection.
title: Sigma Rule Title
detection:
selection:
EventID: 4625
condition: selectionSigma Correlations are designated by the special correlation keyword. Sigma Correlations allow you to write more sophisticated and targeted detections by combining and analyzing relationships between events.
status: test
correlation:
type: event_count
rules:
- failed_logon
group-by:
- TargetUserName
- TargetDomainName
timespan: 5m
condition:
gte: 10
level: mediumAnd Sigma Filters are designated by the special filter keyword. Sigma Filters allow you to filter out common false-positive detections and build sets of exclusions to start to tune Sigma rules for your own organisation.
status: test
filter:
rules:
- failed_logon
selection:
# Filter out Domain Controllers
ComputerName|startswith: 'DC-'
condition: not selection
level: lowReferencing in Meta Rules
Both Sigma Correlations and Sigma Filters require you to reference an existing regular Sigma Rule. This is done by using the rules keyword underneath the correlation or filter section.
This pattern allows you to reference an existing rule either by using it's name or id.
filter:
rules:
- failed_logon # Referencing by name
- df0841c0-9846-4e9f-ad8a-7df91571771b # Referencing by IDGlobal References
When converting Sigma rules, it's important to remember that Sigma Correlations and Sigma Filters can reference any Sigma rule – not just those within the same file.
However, it is important to supply the rule at conversion time to ensure that the Sigma Correlation or Sigma Filter can be applied correctly.
Learning More
To learn more about how to write Sigma Correlations and Sigma Filters, check out the dedicated pages for each below.