Sigma
sigma (7.5k β) is a generic solutions to write log filtering rules for any SIEM. We write a YAML rule and use pySigma (0.4k β) or uncoder to compile it for any SIEM solution.
title: XXX
id: UUID
status: experimental
description: XXX
logsource:
product: windows # or Linux, etc.
service: security # or procmon, etc.
detection:
selection:
EventID: ['event_id_here']
Image|endswith: ['\xxx.exe']
CommandLine|contains|all:
- cmd.exe
- '-c '
condition: selection
falsepositives:
- unknown
level: low
tags:
- attack.persistence # Points to the MITRE Tactic
- attack.T1136.001 # Points to the MITRE Technique