Sigma Detection Rule (SchemaStore) JSON Schema

Type	object
File match	`/sigma//*.yml`
Schema URL	https://catalog.lintel.tools/schemas/schemastore/sigma-detection-rule/latest.json
Source	https://raw.githubusercontent.com/SigmaHQ/sigma-specification/main/json-schema/sigma-detection-rule-schema.json

title string required

A brief title for the rule that should contain what the rules is supposed to detect

maxLength=256

logsource object required

The log source that the rule is supposed to detect malicious activity in.

4 nested properties

category string

Group of products, like firewall or process_creation

product string

A certain product, like windows

service string

A subset of a product's logs, like sshd

definition string

can be used to describe the log source

detection Record<string, string | integer | object[] | object> required

A set of search-identifiers that represent properties of searches on log data

1 nested properties

condition string required

The relationship between the search identifiers to create the detection logic. Ex: selection1 or selection2

id string

A globally unique identifier for the Sigma rule. This is recommended to be a UUID v4, but not mandatory.

format=uuid

related object[]

A list of related Sigma rules to keep track of the relationships between detections. This can be used to indicate that a rule is derived from another rule, or that a rule has been obsoleted by another rule.

name string

a unique human-readable name that can be used instead of the id as a reference in correlation rules

maxLength=256

taxonomy string

Defines the taxonomy used in the Sigma rule

maxLength=256

status string

One of: const: "stable" const: "stable", const: "test" const: "test", const: "experimental" const: "experimental", const: "deprecated" const: "deprecated", const: "unsupported" const: "unsupported"

description string

A short description of the rule and the malicious activity that can be detected

maxLength=65535

license string

License of the rule according the SPDX ID specification (https://spdx.dev/ids/)

author string

Creator of the rule. (can be a name, nickname, twitter handle, etc.)

references string[]

References to the source that the rule was derived from. These could be blog articles, technical papers, presentations or even tweets

uniqueItems=true

date string

Creation date of the rule. Use the ISO 8601 format YYYY-MM-DD

pattern=^\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$

modified string

Last modification date of the rule. Use the ISO 8601 format YYYY-MM-DD

pattern=^\d{4}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])$

fields string[]

A list of log fields that could be interesting in further analysis of the event and should be displayed to the analyst

uniqueItems=true

falsepositives string[]

A list of known false positives that may occur

uniqueItems=true

level string

The criticality of a triggered rule

One of: const: "informational" const: "informational", const: "low" const: "low", const: "medium" const: "medium", const: "high" const: "high", const: "critical" const: "critical"

tags string[]

Tags to categorize a Sigma rule.

uniqueItems=true

scope string[]

A list of intended scope of the rule

Sigma Detection Rule

Validate with Lintel

Properties