The following is a non-exhaustive list of changes between the v1 and v2 specification.
As of August 1st 2024 the sigmac toolchain has reached it’s end of life, and its corresponding repository has been archived. The sigmac toolchain doesn’t take into account new feature introduced in the second version specification.
The pySigma library and it’s corresponding command line interface sigma-cli, provide full support for version 2 of the specification.
The latest version of the specification drops support for the date format using a slash / separator (YYYY/MM/DD), and now it only recommend the usage of the ISO 8601 format with the a - separator (YYYY-MM-DD).
The latest version of the specification changed the use of “underscore” and “dots” in favour of “dashes” for the following tag namespaces:
The related field type obsoletes has been changed to obsolete for consistency purposes.
The latest version of the specification drops the support for the Rx-Schema in favour of a JSON schema.
The latest version of the specification and by extension the pySigma library, introduces a new set of modifier. You can check the full list of all currently supported modifiers in the Sigma Modifiers Appendix.
The latest version of the specification drops the usage of the old aggregation expression, in favour of a new format titled meta/correlation rules. Check out the Sigma Correlation Rules Specification for full details.
Check out the Sigma Filters Specification for a detailed description of the format.