The following document defines the standardized global filter that can be used with Sigma rules.
Release date 2024-08-08
The purpose of Filter rules is to apply the same tuning on many rules with the goal to suppress matches of multiple rules. This is most commonly useful for environment specific tuning where a false positive prone application is used in an organization and its false positives are accepted.
Example: A valid GPO script that triggers multiple Sigma rules.
To keep the file names interoperable use the following:
_
instead of a space.yml
as a file extensionAs a best practice use the prefix mf_
A Sigma global filter is a dedicated YAML document.
Like Sigma rules, “Filter” rules have a title
and a unique id
to identify them.
It has no level
or status
because its purpose is to enrich an existing Sigma rule.
Attribute: title
Use: mandatory
A brief title for the rule that should contain what the rule is supposed to detect (max. 256 characters)
Attribute: id
Use: optional
Sigma meta-rules should be identified by a globally unique identifier in the id attribute. For this purpose randomly generated UUIDs (version 4) are recommended but not mandatory.
An example for this is:
title: login brute force
id: 0e95725d-7320-415d-80f7-004da920fc11
Attribute: description
Use: optional
A short description of the rule and the malicious activity that can be detected (max. 65,535 characters)
Attribute: date
Use: optional
Creation date of the meta filter.
Use the ISO 8601 date with separator format : YYYY-MM-DD
Attribute: modified
Use: optional
Last modification date of the meta filter.
Use the ISO 8601 date with separator format : YYYY-MM-DD
Attribute: logsource
Use: mandatory
Read more on the logsource
attribute in the Sigma Rules Specification
Attribute: filter
Use: mandatory
Attribute: rules
Use: mandatory
refers to one or multiple Sigma rules where to add the filter
Attribute: selection
Use: mandatory
Read more on the ‘detection’ section in the Sigma Rules Specification
Attribute: condition
Use: mandatory
Read more on the ‘detection’ field in the Sigma Rules Specification
This section gives complete examples in order to make it easier for people new to Sigma to get started and for showcasing new features of the Sigma standard. Use them as a blueprint for your own ideas.
title: Filter Administrator account
description: The valid administrator account start with adm_
logsource:
category: process_creation
product: windows
filter:
rules:
- 6f3e2987-db24-4c78-a860-b4f4095a7095 # Data Compressed - rar.exe
- df0841c0-9846-4e9f-ad8a-7df91571771b # Login on jump host
selection:
User|startswith: 'adm_'
condition: selection