Skip to content

Sigma Rule Reference

This reference section provides explanations on inner workings of Sigma v2 to Padas converter script.

Field Mapping (Padas : Sigma)

The table below provides field mapping information of Padas Rule vs. Sigma Rule. There is a tiny difference between Simple and Meta mapping. Padas creates PDL with detection field from Simple Rule but action field from Meta.

Padas Rule : Simple Sigma v2 Rule Padas Rule : Meta Sigma v2 Rule 
    id          : id / title / name
    name        : title / name
    description : description
    datamodel   : logsource
    annotations : tags
    pdl         : detection

    id          : id / title / name
    name        : title / name
    description : description
    datamodel   : "padas_alert"
    annotations : tags
    pdl         : type, field, group-by, timespan, condition, ordered, aliases *
* See below for details.

Conversion of Fields

id

The first matching Sigma field ise used from the following list, in order of precedence: id, title, name

name

The first matching Sigma field ise used from the following list, in order of precedence: title, name

description

The description Sigma field is used.

datamodel

For Simple Rules, logsource Sigma field is used. For Meta Rules padas_alert is assigned for this value. Following table shows the subfields used to construct datamodel field in Padas Rule.

Simple Rule Meta Rule
category + "_" + product + "_" + service padas_alert

annotations

The tags Sigma field is used.

pdl

This field is where the actual conversion happens to make it meaningful for Padas. The condition field works similarly for both Simple and Meta rules as it gives information about modifiers, conditions, etc. and their relationships for desired fields. There are some modifiers for field conditions rules. The following table provides information regarding Simple Rule modifier conversion.

Sigma Rule Field Modifiers PDL Field Modifiers
contains 
?=
startswith 
"...*"
endswith 
"*..."
gt 
>
gte 
>=
lt 
<
lte 
<=


Simple Rule Examples
# Simple Rule PDL
1 
detection:
    selection:
        file: 'example.exe'
    condition: selection

file="example.exe"
2 
detection:
    selection:
        file: 'example.exe'
        eventId: 4769
    condition: selection

file="example.exe" AND eventId=4769
3 
detection:
    selection:
        file: 
            - 'example.exe'
            - 'example2.exe'
        eventId: 4769
    filter:
        user: 'someuser'
    condition: selection and not filter

((file="example.exe" OR file="example2.exe") AND eventId=4769) AND NOT (user="someuser")
4 
detection:
    selection:
        file: 
            - 'example.exe'
            - 'example2.exe'
        eventId: 4769
    filter:
        user: 'someuser'
        password: null
    condition: selection and not filter

((file="example.exe" OR file="example2.exe") AND eventId=4769) AND NOT (user="someuser" AND password!="*")
5 
detection:
    selection:
        file|endswith: 
            - '\\example.exe'
            - '\\example2.exe'
        eventId|gte: 4769
    filter:
        user|contains: 'someuser'
        password: null
    condition: selection and not filter

((file="*\\example.exe" OR file="*\\example2.exe") AND eventId>=4769) AND NOT (user?="someuser" AND password!="*")
6 
detection:
    selection:
        file|endswith: 
            - '\\example.exe'
    selection2:
        file|endswith: 
            - '\\example2.exe'
        eventId|gte: 4769
    filter:
        user|contains: 'someuser'
        password: null
    condition: 1 of selection* and not filter

((file="*\\example.exe") OR (file="*\\example2.exe" AND eventId>=4769)) AND NOT (user?="someuser" AND password!="*")
7 
detection:
    selection:
        file|endswith: 
            - '\\example.exe'
    selection2:
        file|endswith: 
            - '\\example2.exe'
        eventId|gte: 4769
    filter:
        user|contains: 'someuser'
        password: null
    condition: all of selection* and not filter

((file="*\\example.exe") AND (file="*\\example2.exe" AND eventId>=4769)) AND NOT (user?="someuser" AND password!="*")
8 
detection:
    selection:
        file|endswith|all: 
            - '\\example.exe'
            - '\\example2.exe'
        eventId|gte: 4769
    filter:
        user|contains: 'someuser'
        password: null
    condition: selection and not filter

((file="*\\example.exe" AND file="*\\example2.exe") AND eventId>=4769) AND NOT (user?="someuser" AND password!="*")


Meta Rule Examples

Sigma Meta Rule with action: correlation fields are converted only. The following table provides information on Sigma Meta Rule functions and their corresponding PDL correlation.

Sigma Meta Rule Function PDL Correlation Usage
event_count | event_count <condition>
value_count | value_count(<fieldname>) <condition>
temporal | temporal(<fieldname>, [<value>,<value>, ...], ordered_boolean)

The following table provides some examples on Sigma Meta Rule to PDL Expression/Correlation conversions.

# Meta Rule PDL Expression/Correlation
1 
title: Event Count
id: "0e00016d"
action: correlation
type: event_count
rules:
    - 5638f7c0-ac70-491d-8465-2a65075e0d86
    - 5638f7c0-ac70-491d-8465-2a65075e0d87
group-by:
    - ComputerName
timespan: 1h
condition:
    range: 100..200

    "id": "0e00016d",
    "name": "Event Count",
    "description":"",
    "datamodel":"padas_alert",
    "annotations": [""],
    "pdl": "padas_rule IN [\"5638f7c0-ac70-491d-8465-2a65075e0d86\", \"5638f7c0-ac70-491d-8465-2a65075e0d87\"] 
            | event_count timespan=1h group_by ComputerName where padasAggregation.eventCount>=100 AND padasAggregation.eventCount<=200",
    "enabled": false
2 
title: Value Count
id: "0e00017d"
action: correlation
type: value_count
field: User
group-by:
    - ComputerName
    - WorkstationName
timespan: 1d
condition:
    gte: 100

    "id": "0e00017d",
    "name": "Value Count",
    "description":"",
    "datamodel":"padas_alert",
    "annotations": [""],
    "pdl": "value_count(User) timespan=1d group_by ComputerName, WorkstationName where padasAggregation.valueCount>= 100",
    "enabled": false
3 
title: internal_error
id: "0e00018d"
name: select01
detection:
  selection:
    http.response.status_code: 500
  condition: selection
---
title: new_network_connection
id: "0e00019d"
name: select02
detection:
  selection:
    event.category: network
    event.type: connection
    event.outcome: success
  condition: selection
---
title: Temporal
id: "0e00020d"
action: correlation
type: temporal
rule:
  - select01
  - select02
group-by:
  - internal_ip
  - remote_ip
timespan: 10s
ordered: true
aliases:
  internal_ip:
    internal_error: destination.ip
    new_network_connection: source.ip
  remote_ip:
    internal_error: source.ip
    new_network_connection: destination.ip

     {
      {
            "id": "0e00018d",
            "name": "select01",
            "description":"",
            "datamodel":"",
            "annotations": [""],
            "pdl": "http.response.status_code=500",
            "enabled": false
        },
        {
            "id": "0e00019d",
            "name": "select02",
            "description":"",
            "datamodel":"",
            "annotations": [""],
            "pdl": "((event.category=\"network\") AND (event.type=\"connection\") AND (event.outcome=\"success\"))",
            "enabled": false
        },
        {
            "id": "0e00020d",
            "name": "Temporal",
            "description":"",
            "datamodel":"padas_alert",
            "annotations": [""],
            "pdl": "eval internal_ip=if(padas_rule=\"internal_error\", destination.ip, if(padas_rule=\"new_network_connection\", source.ip, \"\")) 
                | eval remote_ip=if(padas_rule=\"internal_error\", source.ip, if(padas_rule=\"new_network_connection\", destination.ip, \"\")) 
                | temporal(ordered=true) [padasRule=\"select01\" || padasRule=\"select02\"] timespan=10s group_by internal_ip, remote_ip",
            "enabled": false
        }
    }