Skip to content

Commit 69ce07a

Browse files
nasbenchnasbench
authored
Merge pull request #110 from SigmaHQ/add-schema
Create sigma-schema.json
2 parents f4338bd + 85bfe5b commit 69ce07a

File tree

1 file changed

+233
-0
lines changed

1 file changed

+233
-0
lines changed

sigma-schema.json

+233
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,233 @@
1+
{
2+
"$schema": "http://json-schema.org/draft-07/schema#",
3+
"title": "Sigma rule specification V1.0.4 (2023/06/29)",
4+
"type": "object",
5+
"required": ["title", "logsource", "detection"],
6+
"properties": {
7+
"title": {
8+
"type": "string",
9+
"maxLength": 256,
10+
"description": "A brief title for the rule that should contain what the rules is supposed to detect"
11+
},
12+
"id": {
13+
"type": "string",
14+
"description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
15+
"format": "uuid"
16+
},
17+
"related": {
18+
"type": "array",
19+
"description": "A list of related Sigma rules to keep track of the relationships between detections. This can be used to indicate that a rule is derived from another rule, or that a rule has been obsoleted by another rule.",
20+
"items": {
21+
"type": "object",
22+
"required": ["id", "type"],
23+
"properties": {
24+
"id": {
25+
"type": "string",
26+
"description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
27+
"format": "uuid"
28+
},
29+
"type": {
30+
"type": "string",
31+
"oneOf": [
32+
{
33+
"const": "derived",
34+
"description": "The rule was derived from the referred rule or rules, which may remain active"
35+
},
36+
{
37+
"const": "obsoletes",
38+
"description": "The rule obsoletes the referred rule or rules, which aren't used anymore"
39+
},
40+
{
41+
"const": "merged",
42+
"description": "The rule was merged from the referred rules. The rules may be still existing and in use"
43+
},
44+
{
45+
"const": "renamed",
46+
"description": "The rule had previously the referred identifier or identifiers but was renamed for whatever reason, e.g. from a private naming scheme to UUIDs, to resolve collisions etc. It's not expected that a rule with this id exists anymore"
47+
},
48+
{
49+
"const": "similar",
50+
"description": "Use to relate similar rules to each other (e.g. same detection content applied to different log sources, rule that is a modified version of another rule with a different level)"
51+
}
52+
]
53+
}
54+
}
55+
}
56+
},
57+
"status": {
58+
"type": "string",
59+
"oneOf": [
60+
{
61+
"const": "stable",
62+
"description": "The rule didn't produce any obvious false positives in multiple environments over a long period of time"
63+
},
64+
{
65+
"const": "test",
66+
"description": "The rule doesn't show any obvious false positives on a limited set of test systems"
67+
},
68+
{
69+
"const": "experimental",
70+
"description": "A new rule that hasn't been tested outside of lab environments and could lead to many false positives"
71+
},
72+
{
73+
"const": "deprecated",
74+
"description": "The rule was replaced or is now covered by another one. The link between both rules is made via the `related` field"
75+
},
76+
{
77+
"const": "unsupported",
78+
"description": "The rule can not be used in its current state (special correlation log, home-made fields, etc.)"
79+
}
80+
]
81+
},
82+
"description": {
83+
"type": "string",
84+
"description": "A short description of the rule and the malicious activity that can be detected",
85+
"maxLength": 65535
86+
},
87+
"license": {
88+
"type": "string",
89+
"description": "License of the rule according the SPDX ID specification (https://spdx.dev/ids/)"
90+
},
91+
"author": {
92+
"type": "string",
93+
"description": "Creator of the rule. (can be a name, nickname, twitter handle, etc.)"
94+
},
95+
"references": {
96+
"type": "array",
97+
"description": "References to the source that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets",
98+
"uniqueItems": true,
99+
"items": {
100+
"type": "string"
101+
}
102+
},
103+
"date": {
104+
"type": "string",
105+
"description": "Creation date of the rule. Use the format YYYY/MM/DD",
106+
"pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$"
107+
},
108+
"modified": {
109+
"type": "string",
110+
"description": "Last modification date of the rule. Use the format YYYY/MM/DD",
111+
"pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$"
112+
},
113+
"logsource": {
114+
"type": "object",
115+
"description": "The log source that the rule is supposed to detect malicious activity in.",
116+
"properties": {
117+
"category": {
118+
"description": "Group of products, like firewall or process_creation",
119+
"type": "string"
120+
},
121+
"product": {
122+
"description": "A certain product, like windows",
123+
"type": "string"
124+
},
125+
"service": {
126+
"description": "A subset of a product's logs, like sshd",
127+
"type": "string"
128+
}
129+
}
130+
},
131+
"detection": {
132+
"type": "object",
133+
"required": ["condition"],
134+
"description": "A set of search-identifiers that represent properties of searches on log data",
135+
"additionalProperties": {
136+
"description": "A Search Identifier: A definition that can consist of two different data structures - lists and maps.",
137+
"anyOf": [
138+
{
139+
"type": "array",
140+
"items": {
141+
"anyOf": [
142+
{
143+
"type": "string"
144+
},
145+
{
146+
"type": "integer"
147+
},
148+
{
149+
"type": "object",
150+
"items": {
151+
"type": "string"
152+
}
153+
}
154+
]
155+
}
156+
},
157+
{
158+
"type": "object",
159+
"items": {
160+
"type": "string"
161+
}
162+
}
163+
]
164+
},
165+
"properties": {
166+
"condition": {
167+
"type": "string",
168+
"description": "The relationship between the search identifiers to create the detection logic. Ex: selection1 or selection2"
169+
}
170+
}
171+
},
172+
"fields": {
173+
"type": "array",
174+
"description": "A list of log fields that could be interesting in further analysis of the event and should be displayed to the analyst",
175+
"uniqueItems": true,
176+
"items": {
177+
"type": "string"
178+
}
179+
},
180+
"falsepositives": {
181+
"description": "A list of known false positives that may occur",
182+
"uniqueItems": true,
183+
"anyOf": [
184+
{
185+
"type": "string",
186+
"minLength": 2
187+
},
188+
{
189+
"type": "array",
190+
"items": {
191+
"type": "string",
192+
"minLength": 2
193+
}
194+
}
195+
]
196+
},
197+
"level": {
198+
"type": "string",
199+
"description": "The criticality of a triggered rule",
200+
"oneOf": [
201+
{
202+
"const": "informational",
203+
"description": "Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules"
204+
},
205+
{
206+
"const": "low",
207+
"description": "Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended"
208+
},
209+
{
210+
"const": "medium",
211+
"description": "Relevant event that should be reviewed manually on a more frequent basis"
212+
},
213+
{
214+
"const": "high",
215+
"description": "Relevant event that should trigger an internal alert and requires a prompt review"
216+
},
217+
{
218+
"const": "critical",
219+
"description": "Highly relevant event that indicates an incident. Critical events should be reviewed immediately. It is used only for cases in which probability borders certainty"
220+
}
221+
]
222+
},
223+
"tags": {
224+
"description": "Tags to categorize a Sigma rule.",
225+
"type": "array",
226+
"uniqueItems": true,
227+
"items": {
228+
"type": "string",
229+
"pattern": "^[a-z0-9_-]+\\.[a-z0-9._-]+$"
230+
}
231+
}
232+
}
233+
}

0 commit comments

Comments
 (0)