diff --git a/.github/workflows/sigma-validation.yml b/.github/workflows/sigma-validation.yml index 8f1ad15b2..61b5c12c5 100644 --- a/.github/workflows/sigma-validation.yml +++ b/.github/workflows/sigma-validation.yml @@ -2,6 +2,9 @@ name: Validate Sigma rules on: [push, pull_request, merge_group, workflow_dispatch] +env: + SIGMA_RULE_SCHEMA_VERSION: v2.1.0 + jobs: sigma-rules-validator: runs-on: ubuntu-latest @@ -16,4 +19,4 @@ jobs: ./rules-emerging-threats ./rules-placeholder ./rules-threat-hunting - schemaFile: ${{ github.workspace }}/tests/validate-sigma-schema/sigma-schema.json + schemaURL: https://raw.githubusercontent.com/SigmaHQ/sigma-specification/refs/tags/${{ env.SIGMA_RULE_SCHEMA_VERSION }}/json-schema/sigma-detection-rule-schema.json diff --git a/tests/validate-sigma-schema/sigma-schema.json b/tests/validate-sigma-schema/sigma-schema.json deleted file mode 100644 index 49dccd1ab..000000000 --- a/tests/validate-sigma-schema/sigma-schema.json +++ /dev/null @@ -1,255 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema#", - "title": "Sigma rule specification V2.0.0 (2024-08-08)", - "type": "object", - "required": ["title", "logsource", "detection"], - "properties": { - "title": { - "type": "string", - "maxLength": 256, - "description": "A brief title for the rule that should contain what the rules is supposed to detect" - }, - "id": { - "type": "string", - "description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.", - "format": "uuid" - }, - "related": { - "type": "array", - "description": "A list of related Sigma rules to keep track of the relationships between detections. This can be used to indicate that a rule is derived from another rule, or that a rule has been obsoleted by another rule.", - "items": { - "type": "object", - "required": ["id", "type"], - "properties": { - "id": { - "type": "string", - "description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.", - "format": "uuid" - }, - "type": { - "type": "string", - "oneOf": [ - { - "const": "derived", - "description": "The rule was derived from the referred rule or rules, which may remain active" - }, - { - "const": "obsolete", - "description": "The rule obsoletes the referred rule or rules, which aren't used anymore" - }, - { - "const": "merged", - "description": "The rule was merged from the referred rules. The rules may be still existing and in use" - }, - { - "const": "renamed", - "description": "The rule had previously the referred identifier or identifiers but was renamed for whatever reason, e.g. from a private naming scheme to UUIDs, to resolve collisions etc. It's not expected that a rule with this id exists anymore" - }, - { - "const": "similar", - "description": "Use to relate similar rules to each other (e.g. same detection content applied to different log sources, rule that is a modified version of another rule with a different level)" - } - ] - } - } - } - }, - "name": { - "type": "string", - "maxLength": 256, - "description": "a unique human-readable name that can be used instead of the id as a reference in correlation rules" - }, - "taxonomy":{ - "type": "string", - "maxLength": 256, - "description": "Defines the taxonomy used in the Sigma rule" - }, - "status": { - "type": "string", - "oneOf": [ - { - "const": "stable", - "description": "The rule didn't produce any obvious false positives in multiple environments over a long period of time" - }, - { - "const": "test", - "description": "The rule doesn't show any obvious false positives on a limited set of test systems" - }, - { - "const": "experimental", - "description": "A new rule that hasn't been tested outside of lab environments and could lead to many false positives" - }, - { - "const": "deprecated", - "description": "The rule was replaced or is now covered by another one. The link between both rules is made via the `related` field" - }, - { - "const": "unsupported", - "description": "The rule can not be used in its current state (special correlation log, home-made fields, etc.)" - } - ] - }, - "description": { - "type": "string", - "description": "A short description of the rule and the malicious activity that can be detected", - "maxLength": 65535 - }, - "license": { - "type": "string", - "description": "License of the rule according the SPDX ID specification (https://spdx.dev/ids/)" - }, - "author": { - "type": "string", - "description": "Creator of the rule. (can be a name, nickname, twitter handle, etc.)" - }, - "references": { - "type": "array", - "description": "References to the source that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "date": { - "type": "string", - "description": "Creation date of the rule. Use the ISO 8601 format YYYY-MM-DD", - "pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$" - }, - "modified": { - "type": "string", - "description": "Last modification date of the rule. Use the ISO 8601 format YYYY-MM-DD", - "pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$" - }, - "logsource": { - "type": "object", - "description": "The log source that the rule is supposed to detect malicious activity in.", - "properties": { - "category": { - "description": "Group of products, like firewall or process_creation", - "type": "string" - }, - "product": { - "description": "A certain product, like windows", - "type": "string" - }, - "service": { - "description": "A subset of a product's logs, like sshd", - "type": "string" - }, - "definition":{ - "description": "can be used to describe the log source", - "type": "string" - } - } - }, - "detection": { - "type": "object", - "required": ["condition"], - "description": "A set of search-identifiers that represent properties of searches on log data", - "additionalProperties": { - "description": "A Search Identifier: A definition that can consist of two different data structures - lists and maps.", - "anyOf": [ - { - "type": "array", - "items": { - "anyOf": [ - { - "type": "string" - }, - { - "type": "integer" - }, - { - "type": "object", - "items": { - "type": "string" - } - } - ] - } - }, - { - "type": "object", - "items": { - "type": "string" - } - } - ] - }, - "properties": { - "condition": { - "type": "string", - "description": "The relationship between the search identifiers to create the detection logic. Ex: selection1 or selection2" - } - } - }, - "fields": { - "type": "array", - "description": "A list of log fields that could be interesting in further analysis of the event and should be displayed to the analyst", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "falsepositives": { - "description": "A list of known false positives that may occur", - "uniqueItems": true, - "anyOf": [ - { - "type": "string", - "minLength": 2 - }, - { - "type": "array", - "items": { - "type": "string", - "minLength": 2 - } - } - ] - }, - "level": { - "type": "string", - "description": "The criticality of a triggered rule", - "oneOf": [ - { - "const": "informational", - "description": "Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules" - }, - { - "const": "low", - "description": "Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended" - }, - { - "const": "medium", - "description": "Relevant event that should be reviewed manually on a more frequent basis" - }, - { - "const": "high", - "description": "Relevant event that should trigger an internal alert and requires a prompt review" - }, - { - "const": "critical", - "description": "Highly relevant event that indicates an incident. Critical events should be reviewed immediately. It is used only for cases in which probability borders certainty" - } - ] - }, - "tags": { - "description": "Tags to categorize a Sigma rule.", - "type": "array", - "uniqueItems": true, - "items": { - "type": "string", - "pattern": "^[a-z0-9_-]+\\.[a-z0-9._-]+$" - } - }, - "scope":{ - "description": "A list of intended scope of the rule", - "type": "array", - "items": { - "type": "string", - "minLength": 2 - } - } - } -} diff --git a/tests/validate-sigma-schema/validate.py b/tests/validate-sigma-schema/validate.py index adb6cac0e..116d73f38 100644 --- a/tests/validate-sigma-schema/validate.py +++ b/tests/validate-sigma-schema/validate.py @@ -41,7 +41,7 @@ def get_envs() -> Dict[str, Any]: sigma_schema_file = os.environ.get("SIGMA_SCHEMA_FILE") sigma_schema_url = os.environ.get( "SIGMA_SCHEMA_URL", - "https://raw.githubusercontent.com/SigmaHQ/sigma-specification/main/sigma-schema.json", + "https://raw.githubusercontent.com/SigmaHQ/sigma-specification/refs/heads/main/json-schema/sigma-detection-rule-schema.json", ) return {