security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity

Merge PR #5797 from @frack113 - ci: fix URL for sigma_schema_url

Browse Source 
chore: fix URL for sigma_schema_url in validate.py
---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
frack113
2026-04-28 11:32:48 +02:00
committed by GitHub
parent 797bcaebfe
commit ad80b4d75f
3 changed files with 5 additions and 257 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/validate-sigma-schema/sigma-schema.json
-255
View File
@@ -1,255 +0,0 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema#",
"title": "Sigma rule specification V2.0.0 (2024-08-08)",
"type": "object",
"required": ["title", "logsource", "detection"],
"properties": {
"title": {
"type": "string",
"maxLength": 256,
"description": "A brief title for the rule that should contain what the rules is supposed to detect"
},
"id": {
"type": "string",
"description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
"format": "uuid"
},
"related": {
"type": "array",
"description": "A list of related Sigma rules to keep track of the relationships between detections. This can be used to indicate that a rule is derived from another rule, or that a rule has been obsoleted by another rule.",
"items": {
"type": "object",
"required": ["id", "type"],
"properties": {
"id": {
"type": "string",
"description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
"format": "uuid"
},
"type": {
"type": "string",
"oneOf": [
{
"const": "derived",
"description": "The rule was derived from the referred rule or rules, which may remain active"
},
{
"const": "obsolete",
"description": "The rule obsoletes the referred rule or rules, which aren't used anymore"
},
{
"const": "merged",
"description": "The rule was merged from the referred rules. The rules may be still existing and in use"
},
{
"const": "renamed",
"description": "The rule had previously the referred identifier or identifiers but was renamed for whatever reason, e.g. from a private naming scheme to UUIDs, to resolve collisions etc. It's not expected that a rule with this id exists anymore"
},
{
"const": "similar",
"description": "Use to relate similar rules to each other (e.g. same detection content applied to different log sources, rule that is a modified version of another rule with a different level)"
}
]
}
}
}
},
"name": {
"type": "string",
"maxLength": 256,
"description": "a unique human-readable name that can be used instead of the id as a reference in correlation rules"
},
"taxonomy":{
"type": "string",
"maxLength": 256,
"description": "Defines the taxonomy used in the Sigma rule"
},
"status": {
"type": "string",
"oneOf": [
{
"const": "stable",
"description": "The rule didn't produce any obvious false positives in multiple environments over a long period of time"
},
{
"const": "test",
"description": "The rule doesn't show any obvious false positives on a limited set of test systems"
},
{
"const": "experimental",
"description": "A new rule that hasn't been tested outside of lab environments and could lead to many false positives"
},
{
"const": "deprecated",
"description": "The rule was replaced or is now covered by another one. The link between both rules is made via the `related` field"
},
{
"const": "unsupported",
"description": "The rule can not be used in its current state (special correlation log, home-made fields, etc.)"
}
]
},
"description": {
"type": "string",
"description": "A short description of the rule and the malicious activity that can be detected",
"maxLength": 65535
},
"license": {
"type": "string",
"description": "License of the rule according the SPDX ID specification (https://spdx.dev/ids/)"
},
"author": {
"type": "string",
"description": "Creator of the rule. (can be a name, nickname, twitter handle, etc.)"
},
"references": {
"type": "array",
"description": "References to the source that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"date": {
"type": "string",
"description": "Creation date of the rule. Use the ISO 8601 format YYYY-MM-DD",
"pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$"
},
"modified": {
"type": "string",
"description": "Last modification date of the rule. Use the ISO 8601 format YYYY-MM-DD",
"pattern": "^\\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$"
},
"logsource": {
"type": "object",
"description": "The log source that the rule is supposed to detect malicious activity in.",
"properties": {
"category": {
"description": "Group of products, like firewall or process_creation",
"type": "string"
},
"product": {
"description": "A certain product, like windows",
"type": "string"
},
"service": {
"description": "A subset of a product's logs, like sshd",
"type": "string"
},
"definition":{
"description": "can be used to describe the log source",
"type": "string"
}
}
},
"detection": {
"type": "object",
"required": ["condition"],
"description": "A set of search-identifiers that represent properties of searches on log data",
"additionalProperties": {
"description": "A Search Identifier: A definition that can consist of two different data structures - lists and maps.",
"anyOf": [
{
"type": "array",
"items": {
"anyOf": [
{
"type": "string"
},
{
"type": "integer"
},
{
"type": "object",
"items": {
"type": "string"
}
}
]
}
},
{
"type": "object",
"items": {
"type": "string"
}
}
]
},
"properties": {
"condition": {
"type": "string",
"description": "The relationship between the search identifiers to create the detection logic. Ex: selection1 or selection2"
}
}
},
"fields": {
"type": "array",
"description": "A list of log fields that could be interesting in further analysis of the event and should be displayed to the analyst",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"falsepositives": {
"description": "A list of known false positives that may occur",
"uniqueItems": true,
"anyOf": [
{
"type": "string",
"minLength": 2
},
{
"type": "array",
"items": {
"type": "string",
"minLength": 2
}
}
]
},
"level": {
"type": "string",
"description": "The criticality of a triggered rule",
"oneOf": [
{
"const": "informational",
"description": "Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules"
},
{
"const": "low",
"description": "Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended"
},
{
"const": "medium",
"description": "Relevant event that should be reviewed manually on a more frequent basis"
},
{
"const": "high",
"description": "Relevant event that should trigger an internal alert and requires a prompt review"
},
{
"const": "critical",
"description": "Highly relevant event that indicates an incident. Critical events should be reviewed immediately. It is used only for cases in which probability borders certainty"
}
]
},
"tags": {
"description": "Tags to categorize a Sigma rule.",
"type": "array",
"uniqueItems": true,
"items": {
"type": "string",
"pattern": "^[a-z0-9_-]+\\.[a-z0-9._-]+$"
}
},
"scope":{
"description": "A list of intended scope of the rule",
"type": "array",
"items": {
"type": "string",
"minLength": 2
}
}
}
}
tests/validate-sigma-schema/validate.py
+1 -1
View File
@@ -41,7 +41,7 @@ def get_envs() -> Dict[str, Any]:
sigma_schema_file = os.environ.get("SIGMA_SCHEMA_FILE")
sigma_schema_url = os.environ.get(
"SIGMA_SCHEMA_URL",
"https://raw.githubusercontent.com/SigmaHQ/sigma-specification/main/sigma-schema.json",
"https://raw.githubusercontent.com/SigmaHQ/sigma-specification/refs/heads/main/json-schema/sigma-detection-rule-schema.json",
)
return {