| .. | ||
| command_injection.yaml | ||
| credential_access.yaml | ||
| file_system_activity.yaml | ||
| lateral_movement.yaml | ||
| network_connection.yaml | ||
| persistence.yaml | ||
| powershell_execution.yaml | ||
| privilege_escalation.yaml | ||
| process_execution.yaml | ||
| README.md | ||
| registry_modification.yaml | ||
| service_manipulation.yaml | ||
| web_application_attack.yaml | ||
SIGMA Rule Templates
This directory contains YAML template files for generating SIGMA rules automatically based on CVE and PoC data.
Template Structure
Each template file is a YAML file with the following structure:
template_name: "Template Name"
description: "Description of what this template detects"
applicable_product_patterns:
- "pattern1"
- "pattern2"
template_content: |
title: {{TITLE}}
id: {{RULE_ID}}
# ... SIGMA rule content with placeholders
Template Fields
- template_name: Human-readable name for the template
- description: What the template is designed to detect
- applicable_product_patterns: List of keywords that help match CVEs to this template
- template_content: The actual SIGMA rule template with placeholders
Placeholders
Templates use the following placeholders that get replaced during rule generation:
{{TITLE}}: Rule title based on CVE{{RULE_ID}}: Unique rule identifier{{DESCRIPTION}}: CVE description and context{{DATE}}: Rule creation date{{REFERENCES}}: CVE references and PoC URLs{{TAGS}}: Relevant tags based on CVE data{{LEVEL}}: Severity level (low, medium, high, critical){{PROCESSES}}: Process names from PoC analysis{{COMMANDS}}: Command patterns from PoC analysis{{FILES}}: File paths from PoC analysis{{NETWORK}}: Network indicators from PoC analysis{{URLS}}: URL patterns from PoC analysis{{REGISTRY}}: Registry keys from PoC analysis
Available Templates
Core Categories
- process_execution.yaml - Process creation and execution
- network_connection.yaml - Network connections and communications
- file_system_activity.yaml - File system operations
- registry_modification.yaml - Windows registry changes
Attack Techniques
- powershell_execution.yaml - PowerShell-based attacks
- web_application_attack.yaml - Web application vulnerabilities
- command_injection.yaml - Command injection attacks
- privilege_escalation.yaml - Privilege escalation attempts
- credential_access.yaml - Credential theft and access
- persistence.yaml - Persistence mechanisms
- lateral_movement.yaml - Lateral movement techniques
- service_manipulation.yaml - Windows service manipulation
Usage
Initialize Templates
# Load all templates into the database
docker-compose exec backend python initialize_templates.py
# List available templates
docker-compose exec backend python initialize_templates.py list
Adding New Templates
- Create a new YAML file in this directory
- Follow the template structure above
- Choose appropriate
applicable_product_patternskeywords - Use relevant placeholders in your
template_content - Run the initialization script to load into database
Template Matching
Templates are automatically matched to CVEs based on:
- Product patterns matching CVE affected products
- PoC analysis indicators
- CVE description keywords
Best Practices
- Specific Patterns: Use specific product patterns for better matching
- False Positives: Include realistic false positive scenarios
- Conditions: Use appropriate SIGMA detection conditions
- Log Sources: Match log sources to the type of activity being detected
- Severity: Use appropriate severity levels based on the attack impact
Example Template
template_name: "Example Detection"
description: "Detects example malicious activity"
applicable_product_patterns:
- "example"
- "software"
template_content: |
title: {{TITLE}}
id: {{RULE_ID}}
status: experimental
description: {{DESCRIPTION}}
author: CVE-SIGMA Auto Generator
date: {{DATE}}
references:
{{REFERENCES}}
tags:
{{TAGS}}
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
{{PROCESSES}}
condition: selection
falsepositives:
- Legitimate use cases
level: {{LEVEL}}