Merge pull request #139 from nasbench/final_changes

Final Changes

README.md

@@ -1,34 +1,66 @@
-# Sigma-Specification
+# Sigma Specification - Generic Signature Format for SIEM Systems
 
-This repository is used to maintain the specification for the Sigma format.
+<a href="https://sigmahq.io/">
+<p align="center">
+<br />
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="./media/images/sigma_logo_dark.png">
+  <img width="454" alt="Sigma Logo" src="./media/images/sigma_logo_light.png">
+</picture>
+</p>
+</a>
+<br />
 
-[Web version](https://sigmahq.github.io/sigma-specification/)
+<p align="center">
+<a href="https://sigmahq.io/"><img src="https://cdn.jsdelivr.net/gh/SigmaHQ/sigmahq.github.io@master/images/Sigma%20Official%20Badge.svg" alt="Sigma Official Badge"></a> <img alt="GitHub Repo stars" src="https://img.shields.io/github/stars/SigmaHQ/sigma-specification">
+<br />
+<a href="https://opensourcesecurityindex.io/" target="_blank" rel="noopener">
+<img style="width: 170px;" src="https://opensourcesecurityindex.io/badge.svg" alt="Open Source Security Index - Fastest Growing Open Source Security Projects" width="170" />
+</a>
+</p>
 
-## Version Management
+Welcome to the official Sigma Specification repository.
 
-The version number is in the form of 3 digits 'A.B.C':
+## A Quick Rundown
 
-- 'A' A major version that could break existing converters
-- 'B' A minor version with additions or modifications of functionality affecting but not breaking the converters
-- 'C' Reorganization of section, addition of examples etc.
+Here's what you can expect from each of the main subfolders within this repo. Please take a minute to educate yourself!
 
-## Current Version
+### Specification
 
-The Sigma rules format specifications is described in the file [Sigma_specification](Sigma_specification.md)  
-The Sigma Meta rules format specifications is described in the file [Sigma_meta_rules](Sigma_meta_rules.md)  
-The Sigma Meta filter format specifications is described in the file [Sigma_meta_filter](Sigma_meta_filter.md)  
+[Specification](./specification/) will contain markdown files describing the Sigma specification format in details.
 
-There exists other files in the repository to describe the different modifiers, fields and tags to be used in Sigma rules:
+* [Sigma Rules Specification](./specification/sigma-rules-specification.md) - Describes what constitute a Sigma rule.
+* [Sigma Correlation Specification](./specification/sigma-correlation-rules-specification.md) - Describes the Sigma correlation format.
+* [Sigma Filters Specification](./specification/sigma-filters-specification.md) - Described the Sigma filters format.
 
-- [appendix_modifier](appendix/appendix_modifier.md) is a document that defines the different modifiers that can be used in a Sigma rule. 
-- [appendix_tags](appendix/appendix_tags.md) is a document that defines the standardized tags that can be used to categorize the different Sigma rules.
-- [appendix_taxonomy](appendix/appendix_taxonomy.md) is a document that defines the different field names and log sources that should be used to ensure sharable rules.
+### JSON Schema
 
-## SigmaHQ
+[Json-Schema](./json-schema/) will contain a list of JSON schemas for the following.
 
-The following files are not part of the sigma specification. 
-They are only helpers for the management of the main [rule repository](https://github.com/SigmaHQ/sigma/tree/master/rules) under SigmaHQ
+* [Sigma Rules](/json-schema/sigma-detection-rule-schema.json)
+* [Sigma Correlation Rules](/json-schema/sigma-correlation-rules-schema.json)
+* [Sigma Filters](/json-schema/sigma-filters-schema.json)
 
-[SigmaHQ Filename Normalisation](/sigmahq/Sigmahq_filename_rule.md)
-[SigmaHQ Rule Conventions](/sigmahq/sigmahq_conventions.md)
-[SigmaHQ Title Normalisation](/sigmahq/sigmahq_title_rule.md)
+### Appendix
+
+[Appendix](./appendix/) will contain additional files providing additional details to certain fields of a Sigma rule
+
+* [Sigma Modifiers Appendix](appendix/sigma-modifiers-appendix.md) is a document that defines the different modifiers that can be used in a Sigma rule. 
+* [Sigma Tags Appendix](appendix/sigma-tags-appendix.md) is a document that defines the tags namespaces that can be used to categorize the different Sigma rules.
+* [Sigma Taxonomy Appendix](appendix/sigma-taxonomy-appendix.md) is a document that defines the different field names and log sources that are currently supported by SigmaHQ in order to ensure sharable rules.
+
+### SigmaHQ
+
+[SigmaHQ](./sigmahq/) will contain markdown files that describe rules and recommendations that are applied to the rules hosted in SigmaHQ main rule repository.
+
+> **Note**
+>
+> The SigmaHQ folder and the files contains within are not part of the sigma specification. They are there to ensure and easier management of the rules hosted in the main [rule repository](https://github.com/SigmaHQ/sigma/tree/master/rules)
+
+* [SigmaHQ Rule Convention](/sigmahq/sigmahq-rule-convention.md)
+* [SigmaHQ Filename Convention](/sigmahq/sigmahq-filename-convention.md)
+* [SigmaHQ Title Convention](/sigmahq/sigmahq-title-convention.md)
+
+## Version 2 Changes
+
+You can read more on the potential breaking changes and additional features introduced in version 2.0.0 of the specification [here](./other/version-2-changes.md)

appendix/appendix_modifier.md → appendix/sigma-modifiers-appendix.md

@@ -1,88 +1,87 @@
-# Modifiers <!-- omit in toc -->
-
-The following document defines the standardized modifiers that can be used in Sigma.
-
-* Version 2.0.0
-* Release date 2024-01-01
-
-## Summary
-- [Summary](#summary)
-- [General](#general)
-  - [String only](#string-only)
-  - [Numeric only](#numeric-only)
-  - [Ip only](#ip-only)
-  - [String Encoding](#string-encoding)
-- [Specific](#specific)
-- [History](#history)
-
-
-## General
-
-* `all`: Normally, lists of values are linked with *OR* in the generated query. This modifier
-  changes this to *AND*. This is useful if you want to express a command line invocation with different
-  parameters where the order may vary and removes the need for some cumbersome workarounds.
-
-  Single item values are not allowed to have an `all` modifier as some back-ends cannot support it.
-  If you use it as a workaround to duplicate a field in a selection, use a new selection instead.
-
-* `startswith`: The value is expected at the beginning of the field's content. (replaces e.g. 'adm*')
-* `endswith`: The value is expected at the end of the field's content (replaces e.g. '*\cmd.exe')
-* `contains`: Puts `*` wildcards around the values, such that the value is matched anywhere in the
-  field.
-
-* `exists`: Defines that a certain field has to exist or must not exist in a log event by providing a boolean value.
-* `cased`: Values are applied case sensitively. Default Sigma behaviour is case-insensitive matching.
-
-### String only
-
-* `windash`: Creates all possible permutations of the `-` and `/` characters. Windows command line flags can often be indicated by both characters. Using the `windash` modifier converts `-` values into `/` and vice versa and uses all possible permutation of strings in the selection.
-* `re`: Value is handled as a regular expression by backends. Regex is matched case-sensitive by default
-  * `i`: (insensitive) `re` sub-modifier to enable case-sensitive matching.
-  * `m`: (multi line) `re` sub-modifier to match across multiple lines. `^` /`$` match the start/end of line.
-  * `s`: (single line) `re` sub-modifier to enable that dot (`.`) matches all characters, including the newline character.
-
-
-### Numeric only
-
-* `lt`: Field is less than the value
-* `lte`: Field is less or equal than the value
-* `gt`: Field is greater than the value
-* `gte`: Field is greater or equal than the value
-
-
-### Ip only
-
-* `cidr`: The value is handled as an CIDR by backends
-
-
-### String Encoding
-
-* `base64`: The value is encoded with Base64.
-* `base64offset`: If a value might appear somewhere in a base64-encoded string the representation
-  might change depending on the position of the value in the overall string. There are three variants for shifts
-  by zero to two bytes and except the first and last byte the encoded values have a static part in
-  the middle that can be recognized.
-
-* `utf16le`: Transforms value to UTF16-LE encoding, e.g. `cmd` > `63 00 6d 00 64 00` (only used in combination with base64 modifiers)
-* `utf16be`: Transforms value to UTF16-BE encoding, e.g. `cmd` > `00 63 00 6d 00 64` (only used in combination with base64 modifiers)
-* `wide`: Alias for `utf16le` modifier
-* `utf16`: Prepends a [byte order mark](https://en.wikipedia.org/wiki/Byte_order_mark) and encodes UTF16, e.g. `cmd` > `FF FE 63 00 6d 00 64 00` (only used in combination with base64 modifiers)
-
-
-## Specific
-
-* `expand`: Modifier for expansion of placeholders in values. The final behavior of the replacement is determined by processing pipeline transformations. Current possibilities in pySigma are:
-  * Expand to value list (`ValueListPlaceholderTransformation`/`value_placeholders`)
-  * Replace with query expression in target query language (`QueryExpressionPlaceholderTransformation`/`query_expression_placeholders`)
-  * Replace placeholder with wildcard `*`, which should only be used as last resort. (`WildcardPlaceholderTransformation`/`wildcard_placeholders`)
-
-* `fieldref`: Modifies a plain string into a field reference. A field reference can be used to compare fields of matched
-  events directly at query/matching time.
-
-## History
-* 2023-05-27
-  * Update from PySigma 0.7.6
-  * Add `fieldref`
-* 2023-05-21 v1.0.3
-  * Creation of the file
-* 2017 Sigma creation
+# Modifiers <!-- omit in toc -->
+
+The following document defines the standardized modifiers that can be used in Sigma.
+
+* Version 2.0.0
+* Release date 2024-08-12
+
+## Summary
+- [Summary](#summary)
+- [General](#general)
+  - [String only](#string-only)
+  - [Numeric only](#numeric-only)
+  - [Ip only](#ip-only)
+  - [String Encoding](#string-encoding)
+- [Specific](#specific)
+- [History](#history)
+
+## General
+
+* `all`: Normally, lists of values are linked with *OR* in the generated query. This modifier
+  changes this to *AND*. This is useful if you want to express a command line invocation with different
+  parameters where the order may vary and removes the need for some cumbersome workarounds.
+
+  Single item values are not allowed to have an `all` modifier as some back-ends cannot support it.
+  If you use it as a workaround to duplicate a field in a selection, use a new selection instead.
+
+* `startswith`: The value is expected at the beginning of the field's content. (replaces e.g. 'adm*')
+* `endswith`: The value is expected at the end of the field's content (replaces e.g. '*\cmd.exe')
+* `contains`: Puts `*` wildcards around the values, such that the value is matched anywhere in the
+  field.
+
+* `exists`: Defines that a certain field has to exist or must not exist in a log event by providing a boolean value. Note that this check only verifies the presence of a field, not its value, be it empty or null.
+* `cased`: Values are applied case sensitively. Default Sigma behavior is case-insensitive matching.
+
+### String only
+
+* `windash`: Creates all possible permutations of the `-`, `/`, `–` (en dash), `—` (em dash), and `―` (horizontal bar) characters. Windows command line flags can often be indicated by both characters. Using the `windash` modifier converts the aforementioned characters interchangeably and uses all possible permutation of strings in the selection.
+
+* `re`: Value is handled as a regular expression by backends. Regex is matched case-sensitive by default
+* `re` sub-modifiers:
+  * `i`: (insensitive) to enable case-sensitive matching.
+  * `m`: (multi line) to match across multiple lines. `^` /`$` match the start/end of line.
+  * `s`: (single line) to enable that dot (`.`) matches all characters, including the newline character.
+
+### Numeric only
+
+* `lt`: Field is less than the value
+* `lte`: Field is less or equal than the value
+* `gt`: Field is greater than the value
+* `gte`: Field is greater or equal than the value
+
+### Ip only
+
+* `cidr`: The value is handled as an CIDR by backends. Supports both IPv4 and IPv6 notations.
+
+### String Encoding
+
+* `base64`: The value is encoded with Base64.
+* `base64offset`: If a value might appear somewhere in a base64-encoded string the representation
+  might change depending on the position of the value in the overall string. There are three variants for shifts
+  by zero to two bytes and except the first and last byte the encoded values have a static part in
+  the middle that can be recognized.
+
+* `base64` sub-modifiers:
+  * `utf16le`: Transforms value to UTF16-LE encoding, e.g. `cmd` > `63 00 6d 00 64 00` 
+  * `utf16be`: Transforms value to UTF16-BE encoding, e.g. `cmd` > `00 63 00 6d 00 64`
+  * `utf16`: Prepends a [byte order mark](https://en.wikipedia.org/wiki/Byte_order_mark) and encodes UTF16, e.g. `cmd` > `FF FE 63 00 6d 00 64 00`
+
+## Specific
+
+* `expand`: Modifier for expansion of placeholders in values. The final behavior of the replacement is determined by processing pipeline transformations. Current possibilities in pySigma are:
+  * Expand to value list (`ValueListPlaceholderTransformation`/`value_placeholders`)
+  * Replace with query expression in target query language (`QueryExpressionPlaceholderTransformation`/`query_expression_placeholders`)
+  * Replace placeholder with wildcard `*`, which should only be used as last resort. (`WildcardPlaceholderTransformation`/`wildcard_placeholders`)
+
+* `fieldref`: Modifies a plain string into a field reference. A field reference can be used to compare fields of matched
+  events directly at query/matching time.
+
+## History
+
+* 2024-08-12 Modifiers Appendix v2.0.0
+* 2023-05-27 Modifiers Appendix v1.0.4
+  * Update from PySigma 0.7.6
+  * Add `fieldref`
+* 2023-05-21 Modifiers Appendix v1.0.3
+  * Creation of the file
+* 2017 Sigma creation