auto_sigma_rule_generator/backend/templates/README.md

# SIGMA Rule Templates

This directory contains YAML template files for generating SIGMA rules automatically based on CVE and PoC data.

## Template Structure

Each template file is a YAML file with the following structure:

```yaml
template_name: "Template Name"
description: "Description of what this template detects"
applicable_product_patterns:
  - "pattern1"
  - "pattern2"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  # ... SIGMA rule content with placeholders
```

## Template Fields

- **template_name**: Human-readable name for the template
- **description**: What the template is designed to detect
- **applicable_product_patterns**: List of keywords that help match CVEs to this template
- **template_content**: The actual SIGMA rule template with placeholders

## Placeholders

Templates use the following placeholders that get replaced during rule generation:

- `{{TITLE}}`: Rule title based on CVE
- `{{RULE_ID}}`: Unique rule identifier
- `{{DESCRIPTION}}`: CVE description and context
- `{{DATE}}`: Rule creation date
- `{{REFERENCES}}`: CVE references and PoC URLs
- `{{TAGS}}`: Relevant tags based on CVE data
- `{{LEVEL}}`: Severity level (low, medium, high, critical)
- `{{PROCESSES}}`: Process names from PoC analysis
- `{{COMMANDS}}`: Command patterns from PoC analysis
- `{{FILES}}`: File paths from PoC analysis
- `{{NETWORK}}`: Network indicators from PoC analysis
- `{{URLS}}`: URL patterns from PoC analysis
- `{{REGISTRY}}`: Registry keys from PoC analysis

## Available Templates

### Core Categories
1. **process_execution.yaml** - Process creation and execution
2. **network_connection.yaml** - Network connections and communications
3. **file_system_activity.yaml** - File system operations
4. **registry_modification.yaml** - Windows registry changes

### Attack Techniques
5. **powershell_execution.yaml** - PowerShell-based attacks
6. **web_application_attack.yaml** - Web application vulnerabilities
7. **command_injection.yaml** - Command injection attacks
8. **privilege_escalation.yaml** - Privilege escalation attempts
9. **credential_access.yaml** - Credential theft and access
10. **persistence.yaml** - Persistence mechanisms
11. **lateral_movement.yaml** - Lateral movement techniques
12. **service_manipulation.yaml** - Windows service manipulation

## Usage

### Initialize Templates
```bash
# Load all templates into the database
docker-compose exec backend python initialize_templates.py

# List available templates
docker-compose exec backend python initialize_templates.py list
```

### Adding New Templates

1. Create a new YAML file in this directory
2. Follow the template structure above
3. Choose appropriate `applicable_product_patterns` keywords
4. Use relevant placeholders in your `template_content`
5. Run the initialization script to load into database

### Template Matching

Templates are automatically matched to CVEs based on:
- Product patterns matching CVE affected products
- PoC analysis indicators
- CVE description keywords

## Best Practices

1. **Specific Patterns**: Use specific product patterns for better matching
2. **False Positives**: Include realistic false positive scenarios
3. **Conditions**: Use appropriate SIGMA detection conditions
4. **Log Sources**: Match log sources to the type of activity being detected
5. **Severity**: Use appropriate severity levels based on the attack impact

## Example Template

```yaml
template_name: "Example Detection"
description: "Detects example malicious activity"
applicable_product_patterns:
  - "example"
  - "software"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  status: experimental
  description: {{DESCRIPTION}}
  author: CVE-SIGMA Auto Generator
  date: {{DATE}}
  references:
  {{REFERENCES}}
  tags:
  {{TAGS}}
  logsource:
      category: process_creation
      product: windows
  detection:
      selection:
          Image|endswith:
  {{PROCESSES}}
      condition: selection
  falsepositives:
      - Legitimate use cases
  level: {{LEVEL}}
```