Sigma Meta Rules
Sigma Meta rules are an extension of the Sigma detection format. They allow for the definition of more advanced detection techniques, such as correlations and filters.
Defining Meta Rules
Meta rules are defined in the same way as Sigma rules, but with a few special reserved words used in place of detection
.
title: Sigma Rule Title
detection:
selection:
EventID: 4625
condition: selection
Sigma Correlations are designated by the special correlation
keyword. Sigma Correlations allow you to write more sophisticated and targeted detections by combining and analyzing relationships between events.
status: test
correlation: // [!code ++]
type: event_count
rules:
- failed_logon
group-by:
- TargetUserName
- TargetDomainName
timespan: 5m
condition:
gte: 10
level: medium
And Sigma Filters are designated by the special filter
keyword. Sigma Filters allow you to filter out common false-positive detections and build sets of exclusions to start to tune Sigma rules for your own organisation.
status: test
filter: // [!code ++]
rules:
- failed_logon
selection:
# Filter out Domain Controllers
ComputerName|startswith: 'DC-'
condition: not selection
level: low
Referencing in Meta Rules
Both Sigma Correlations and Sigma Filters require you to reference an existing regular Sigma Rule. This is done by using the rules
keyword underneath the correlation
or filter
section.
This pattern allows you to reference an existing rule either by using it's name
or id
.
filter:
rules:
- failed_logon # Referencing by name
- df0841c0-9846-4e9f-ad8a-7df91571771b # Referencing by ID
Global References
When converting Sigma rules, it's important to remember that Sigma Correlations and Sigma Filters can reference any Sigma rule – not just those within the same file.
However, it is important to supply the rule at conversion time to ensure that the Sigma Correlation or Sigma Filter can be applied correctly.
Learning More
To learn more about how to write Sigma Correlations and Sigma Filters, check out the dedicated pages for each below.