blue-team-tools/tests/validate-sigma-schema/sigma-schema.json

{
  "title": "Sigma rule specification V1.0.4 (2023/06/29)",
  "type": "object",
  "required": ["title", "logsource", "detection"],
  "properties": {
    "title": {
      "type": "string",
      "maxLength": 256,
      "description": "A brief title for the rule that should contain what the rules is supposed to detect"
    },
    "id": {
      "type": "string",
      "description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
      "format": "uuid"
    },
    "related": {
      "type": "array",
      "description": "A list of related Sigma rules to keep track of the relationships between detections. This can be used to indicate that a rule is derived from another rule, or that a rule has been obsoleted by another rule.",
      "items": {
        "type": "object",
        "required": ["id", "type"],
        "properties": {
          "id": {
            "type": "string",
            "description": "A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.",
            "format": "uuid"
          },
          "type": {
            "type": "string",
            "oneOf": [
              {
                "const": "derived",
                "description": "The rule was derived from the referred rule or rules, which may remain active"
              },
              {
                "const": "obsoletes",
                "description": "The rule obsoletes the referred rule or rules, which aren't used anymore"
              },
              {
                "const": "merged",
                "description": "The rule was merged from the referred rules. The rules may be still existing and in use"
              },
              {
                "const": "renamed",
                "description": "The rule had previously the referred identifier or identifiers but was renamed for whatever reason, e.g. from a private naming scheme to UUIDs, to resolve collisions etc. It's not expected that a rule with this id exists anymore"
              },
              {
                "const": "similar",
                "description": "TUse to relate similar rules to each other (e.g. same detection content applied to different log sources, rule that is a modified version of another rule with a different level)"
              }
            ]
          }
        }
      }
    },
    "status": {
      "type": "string",
      "oneOf": [
        {
          "const": "stable",
          "description": "The rule didn't produce any obvious false positives in multiple environments over a long period of time"
        },
        {
          "const": "test",
          "description": "The rule doesn't show any obvious false positives on a limited set of test systems"
        },
        {
          "const": "experimental",
          "description": "A new rule that hasn't been tested outside of lab environments and could lead to many false positives"
        },
        {
          "const": "deprecated",
          "description": "The rule is to replace or cover another one. The link between both rules is made via the `related` field"
        },
        {
          "const": "unsupported",
          "description": "The rule can not be used in its current state (special correlation log, home-made fields...etc.)"
        }
      ]
    },
    "description": {
      "type": "string",
      "description": "A short description of the rule and the malicious activity that can be detected",
      "maxLength": 65535
    },
    "license": {
      "type": "string",
      "description": "License of the rule according the SPDX ID specification (https://spdx.dev/ids/)"
    },
    "author": {
      "type": "string",
      "description": "Creator of the rule. (can be a name, nickname, twitter handle, etc.)"
    },
    "references": {
      "type": "array",
      "description": "References to the source that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets",
      "items": {
        "type": "string"
      }
    },
    "date": {
      "type": "string",
      "description": "Creation date of the rule. Use the format YYYY/MM/DD",
      "pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$"
    },
    "modified": {
      "type": "string",
      "description": "Last modification date of the rule. Use the format YYYY/MM/DD",
      "pattern": "^\\d{4}/(0[1-9]|1[012])/(0[1-9]|[12][0-9]|3[01])$"
    },
    "logsource": {
      "type": "object",
      "description": "The log source that the rule is supposed to detect malicious activity in.",
      "items": {
        "type": "string"
      }
    },
    "detection": {
      "type": "object",
      "required": ["condition"],
      "description": "A set of search-identifiers that represent properties of searches on log data",
      "additionalProperties": {
        "anyOf": [
          {
            "type": "array",
            "items": {
              "anyOf": [
                {
                  "type": "string"
                },
                {
                  "type": "integer"
                },
                {
                  "type": "object",
                  "items": {
                    "type": "string"
                  }
                }
              ]
            }
          },
          {
            "type": "object",
            "items": {
              "type": "string"
            }
          }
        ]
      },
      "properties": {
        "condition": {
          "anyOf": [
            {
              "type": "string",
              "description": "A search condition that is applied to the log data. The following format must be used: fieldname : value"
            },
            {
              "type": "array",
              "items": {
                "type": "string",
                "minLength": 2
              }
            }
          ],
          "description": "A set of search-identifiers that represent properties of searches on log data"
        }
      }
    },
    "fields": {
      "type": "array",
      "description": "A list of log fields that could be interesting in further analysis of the event and should be displayed to the analyst",
      "items": {
        "type": "string"
      }
    },
    "falsepositives": {
      "description": "A list of known false positives that may occur",
      "anyOf": [
        {
          "type": "string",
          "minLength": 2
        },
        {
          "type": "array",
          "items": {
            "type": "string",
            "minLength": 2
          }
        }
      ]
    },
    "level": {
      "type": "string",
      "description": "The criticality of a triggered rule",
      "oneOf": [
        {
          "const": "informational",
          "description": "Rule is intended for enrichment of events, e.g. by tagging them. No case or alerting should be triggered by such rules because it is expected that a huge amount of events will match these rules"
        },
        {
          "const": "low",
          "description": "Notable event but rarely an incident. Low rated events can be relevant in high numbers or combination with others. Immediate reaction shouldn't be necessary, but a regular review is recommended"
        },
        {
          "const": "medium",
          "description": "Relevant event that should be reviewed manually on a more frequent basis"
        },
        {
          "const": "high",
          "description": "Relevant event that should trigger an internal alert and requires a prompt review"
        },
        {
          "const": "critical",
          "description": "Highly relevant event that indicates an incident. Critical events should be reviewed immediately. It is used only for cases in which probability borders certainty"
        }
      ]
    },
    "tags": {
      "type": "array",
      "items": {
        "type": "string",
        "pattern": "^[a-z0-9_.-]+$"
      }
    }
  }
}