# SIGMA Rule Templates This directory contains YAML template files for generating SIGMA rules automatically based on CVE and PoC data. ## Template Structure Each template file is a YAML file with the following structure: ```yaml template_name: "Template Name" description: "Description of what this template detects" applicable_product_patterns: - "pattern1" - "pattern2" template_content: | title: {{TITLE}} id: {{RULE_ID}} # ... SIGMA rule content with placeholders ``` ## Template Fields - **template_name**: Human-readable name for the template - **description**: What the template is designed to detect - **applicable_product_patterns**: List of keywords that help match CVEs to this template - **template_content**: The actual SIGMA rule template with placeholders ## Placeholders Templates use the following placeholders that get replaced during rule generation: - `{{TITLE}}`: Rule title based on CVE - `{{RULE_ID}}`: Unique rule identifier - `{{DESCRIPTION}}`: CVE description and context - `{{DATE}}`: Rule creation date - `{{REFERENCES}}`: CVE references and PoC URLs - `{{TAGS}}`: Relevant tags based on CVE data - `{{LEVEL}}`: Severity level (low, medium, high, critical) - `{{PROCESSES}}`: Process names from PoC analysis - `{{COMMANDS}}`: Command patterns from PoC analysis - `{{FILES}}`: File paths from PoC analysis - `{{NETWORK}}`: Network indicators from PoC analysis - `{{URLS}}`: URL patterns from PoC analysis - `{{REGISTRY}}`: Registry keys from PoC analysis ## Available Templates ### Core Categories 1. **process_execution.yaml** - Process creation and execution 2. **network_connection.yaml** - Network connections and communications 3. **file_system_activity.yaml** - File system operations 4. **registry_modification.yaml** - Windows registry changes ### Attack Techniques 5. **powershell_execution.yaml** - PowerShell-based attacks 6. **web_application_attack.yaml** - Web application vulnerabilities 7. **command_injection.yaml** - Command injection attacks 8. **privilege_escalation.yaml** - Privilege escalation attempts 9. **credential_access.yaml** - Credential theft and access 10. **persistence.yaml** - Persistence mechanisms 11. **lateral_movement.yaml** - Lateral movement techniques 12. **service_manipulation.yaml** - Windows service manipulation ## Usage ### Initialize Templates ```bash # Load all templates into the database docker-compose exec backend python initialize_templates.py # List available templates docker-compose exec backend python initialize_templates.py list ``` ### Adding New Templates 1. Create a new YAML file in this directory 2. Follow the template structure above 3. Choose appropriate `applicable_product_patterns` keywords 4. Use relevant placeholders in your `template_content` 5. Run the initialization script to load into database ### Template Matching Templates are automatically matched to CVEs based on: - Product patterns matching CVE affected products - PoC analysis indicators - CVE description keywords ## Best Practices 1. **Specific Patterns**: Use specific product patterns for better matching 2. **False Positives**: Include realistic false positive scenarios 3. **Conditions**: Use appropriate SIGMA detection conditions 4. **Log Sources**: Match log sources to the type of activity being detected 5. **Severity**: Use appropriate severity levels based on the attack impact ## Example Template ```yaml template_name: "Example Detection" description: "Detects example malicious activity" applicable_product_patterns: - "example" - "software" template_content: | title: {{TITLE}} id: {{RULE_ID}} status: experimental description: {{DESCRIPTION}} author: CVE-SIGMA Auto Generator date: {{DATE}} references: {{REFERENCES}} tags: {{TAGS}} logsource: category: process_creation product: windows detection: selection: Image|endswith: {{PROCESSES}} condition: selection falsepositives: - Legitimate use cases level: {{LEVEL}} ```