Sigma rules have become the security team equivalent of LEGO bricks and systems. With LEGO, people can build whatever they can imagine by connecting different types of bricks. With Sigma Specification 2.0 rules, security teams can create vendor-agnostic detections without being limited by proprietary log formats.
In response to the Sigma rules’ popularity, the team that built them updated them in August 2024, giving security teams new capabilities. With Sigma rules 2.0, security teams now have:
- New fields and modifiers that improve how security teams use the rules
- Correlation specifications to extend rules to more sophisticated detections
- Filters that reduce false positives
- JSON schema to allow automation
The Sigma rule v. 2.0 updates enable you to expand your usage of the rules and improve your threat detection and response capabilities.
Why were the Sigma rules updated?
According to the team responsible for the Sigma rules, security teams embraced the rules and clamored for additional capabilities. In response, the team started by creating pySigma, introducing enhancements that led to evolving the specification itself and the release of v 2.0.
What are the key changes in Sigma v.2.0?
To improve security teams’ use of the rules, the team made three critical updates.
New Metadata Fields and Modifiers
The original Sigma rules offered 11 fields. In v2.0, the team added the following new fields:
- Taxonomy: optional attribute that can define field names, field values, logsource names so that organizations can create a custom taxonomy or transform the taxonomy to the default model
- Scope: ability to define whether a rule should trigger on a specific set of machine types with a specific software installed
Further, the update incorporates new Detection categories that include:
- Field Existence: in case a field is optional in an event
- Placeholders: values that get their final meaning at conversion or rule usage time, like replacing placeholders with a single, multiple or-linked value or pattern, replacing placeholders with a query expression, or conducting lookups in tables or API while matching the Sigma rule that contains the placeholder
- Standard Placeholders: defined values for administrative user accounts, server systems used as jump servers, workstation systems, server systems, and domain controller systems
- Keywords search: a list under search-identifiers that looks for keywords across an entire event
Finally, Sigma v2.0 now includes a modifiers appendix that includes the following modifier types:
- Generic: list of modifiers that can apply to all field types, like all, startswith, endswith, contains, exists, cased, cidr and base64
- String: regular expression (Regex) and Encoding modifiers that only apply to string
- Numeric: list of modifiers that only apply to numeric values, like lt, lte, gt, gte
- Time: modifiers to extract a numeric value from a date, like minute, hour, day, week, month, and year
- IP (Internet Protocol): modifiers that can only apply to IP valudes, like cidr
- Specific: modifiers to expand value placeholders or to modify a plain string into a field reference
Rule Correlation
The new rule correlation specification may be the most exciting update for v2.0. Although the security teams could aggregate rules, the expression was limited. The new rule correlation specification enables security teams to link several events together to create more complex detections.
For example, security teams can build Sigma rules that identify:
- Invalid logins meet or exceed a set threshold
- Invalid login alerts on a host that come from an unknown location
- Alerts generated in the same timespan
Sigma v2.0 defines the following correlation types:
- Event count (event_count): condition that counts events happening over a time frame based on a defined threshold, like more than 50 failed login attempts in 3 minutes
- Value count (value_count): counts the values in a specified field based on a threshold, like failed login attempts with more than 50 different user accounts against a specific source and from a specific destination in a day
- Temporal proximity (temporal): group of rules that all occur during the same timespan, grouped by the same value, like three Sigma rules impacted within 5 minutes by the same user
- Ordered Temporal Proximity (temporal_ordered): group of rules that occur in a specified order within the same timespan, like 5 failed logins followed by a successful login from the same user account within 10 minutes.
Sigma Filters
Instead of writing the same exclusions across different individual rules, the Sigma Filter enables security teams to write one exclusion in one location and apply it across the entire environment.
Sigma’s creators noted two reasons for implementing these new exclusions that apply the “not” condition:
- Applying the condition to the initial detection can be less effective because they fail to consider the organization’s unique environment.
- Attackers may attempt to use these file paths, patterns, and behaviors to evade detection.
Sigma Filters are separate from an organization’s individual Sigma rules, enabling the detections to remain as globally applicable as possible. By applying Sigma Filters to multiple Sigma rules, security teams can manage their detections more effectively.
Graylog Security: Supporting Sigma v2.0 Mapped to MITRE ATT&CK Framework
Using Graylog Security, you can rapidly mature your TDIR capabilities without the complexity and cost of traditional Security Information and Event Management (SIEM) technology. Graylog Security’s Illuminate bundles include subsets of SOC Prime and Trukno rulesets so you have content that includes Sigma detections, enabling you to uplevel your TDIR with threat-hunting capabilities and correlations to ATT&CK TTPs.
By leveraging our cloud-native capabilities and out-of-the-box content, you gain immediate value from your logs. Our anomaly detection ML improves over time without manual tuning, adapting rapidly to new data sets, organizational priorities, and custom use cases so that you can automate key user and entity access monitoring.
With our intuitive user interface, you can rapidly investigate alerts. Our lightning-fast search capabilities enable you to search terabytes of data in milliseconds, reducing dwell times and shrinking investigations by hours, days, and weeks.
To learn how Graylog Security can help you implement robust threat detection and response, contact us today.