Democratizing IT security with Sigma!

Security Information and Event Management (SIEM) software has been in use in various guises for over a decade and has evolved significantly during recent times with rise of distributed and micro-services hosted in cloud. SIEM software works by collecting log and event data that is generated by devices, host systems and applications throughout an organization’s infrastructure and detecting patterns in the logs that are identified as threats. Pattern signatures and pattern recognition methods have been proprietary to SIEM vendors.

Sigma, created by Florian Roth and Thomas Patzke, is an open source project to create a generic pattern signature format for SIEM systems. The purpose of this project is to

  1. Provide a structured format to describe threat detection pattern signatures and make them shareable with others in a generic format known as Sigma rules. 
  2. Provide tools and mechanisms to convert Sigma rules to patterns (event rules or queries etc)  for specified SIEM systems.
  3. Build an enriched collection of Sigma rules.

At the time of this writing, the repository contains more than 650 sigma signatures rules for various services, applications and operating systems. The rules are stored in a yaml document format. 

Sigma Rule Format:

Sigma rules format is defined to be able to express most threat detection signature patterns and is extensible. Sigma rules primarily consists of following attributes:

  • title: A title describes the detection rules.
  • id, related: id is UUID4 rule identifier & related references to related rule identifiers
  • description: Describes the rule and malicious activity.
  • reference: References to the source that the rule was derived from.
  • author: Creator of the rule.
  • level: It describes the criticality of a triggered rule. It could be one of low, medium, high, critical.
  • detection: This is one of the most important attributes of the rule. It represents a set of search-identifiers that represent searches on log data. ç can consist of two different data structures – lists and maps.
  • Condition: Describes the selection criterion of search-identifiers described in detection attribute.
  • logsource: Describes the log data on which the detection is meant to be applied to. It consists of three attributes category, product, service. Examples of each of these are
    • category : firewall, web, antivirus
    • product : windows, apache, check point fw1
    • service: sshd, applocker
Sigma Rule Example:

Here is an example of a sigma rule. This rule detects SQL error messages that indicate probing for an sql injection attack

title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: experimental
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
date: 2017/11/27
   category: application
   product: sql
       # Oracle
       - quoted string not properly terminated
       # MySQL
       - You have an error in your SQL syntax
       # SQL Server
       - Unclosed quotation mark
       # SQLite
       - 'near "*": syntax error'
       - SELECTs to the left and right of UNION do not have the same number of result columns
   condition: keywords
   - Application bugs
level: high

Sigma project consists of sigmac, a rule converter that converts Sigma rules into search queries or event rules targeted for specific SIEM systems. At this time sigma supports a little more than 30 targets. It includes LOGIQ Insights, an observability platform backed by any S3 compatible object-store. 

LOGIQ Insights is integrated with the sigma repository and an output plugin. We are going to look at how we can convert a sigma rule to LOGIQ Insights event rule that LOGIQ’s event processing engine processes at real time.

Make sure that you already have LOGIQ Insights deployed and running. Also setup LOGIQ’s cli tool as described here. Assuming you already have git installed, clone the sigma repository

git clone

To convert sigma rule to LOGIQ event rule run following command.

$ ./tools/sigmac --target logiq ./rules/application/app_sqlinjection_errors.yml --output app_sqlinjection_errors.json

LOGIQ’s cli tool can import a list of rules. To convert the LOGIQ event rule into a list, run this command

$ sed 's/^/[/; s/$/]/' app_sqlinjection_errors.json >> app_sqlinjection_errors_logiq.json

 Let’s check the content of the app_sqlinjection_errors_logiq.json

$ cat app_sqlinjection_errors_logiq.json
[{"name": "Suspicious SQL Error Messages", "groupName": "sql", "description": "Detects SQL error messages that indicate probing for an injection attack", "condition": "message =~ 'quoted string not properly terminated' || message =~ 'You have an error in your SQL syntax' || message =~ 'Unclosed quotation mark' || message =~ 'near \"*\": syntax error' || message =~ 'SELECTs to the left and right of UNION do not have the same number of result columns'", "level": "high"}]

 Now use LOGIQ’s cli tool to create the rule in LOGIQ using the above json data.

$ ./logiqctl create eventrules -f ~/logiq/sigma/app_sqlinjection_errors_logiq.json
Event rules file : /Users/abhijit/logiq/sigma/app_sqlinjection_errors_logiq.json
Success Suspicious SQL Error Messages created

Event Rules also can be created from LOGIQ’s UI. For that open the LOGIQ’s UI and click on “Rules”, under Events tab. Click on “+ New Rule” to create an event rule from UI.

After the event rule is successfully created, you can find it in the LOGIQ UI event rules Page.

That’s how easy it is to convert a sigma rule to LOGIQ’s event rule. LOGIQ’s event processor engine processes the logs at real time to look for the pattern described in the event rule. Whenever the pattern match is detected the event is generated. Alerts can also be configured on the eventRule so that the specified destinations such as emails, Slack and/or PagerDuty are notified when the event occurs.

More Information:

Follow these links for further information on Sigma, LOGIQ Insights and its event Rules.

Add a Comment

Your email address will not be published. Required fields are marked *