Loginsoft Blog - Threat Detection with SIGMA Rules (2023)

Incident Response is the action that you take to restore the ability to deliver organization business service. It is also known as IT incident, computer incident, or security incident. The main objective of the Incident Response is to handle the situation in a way that restricts damage and reduces recovery time and costs. An organization uses the incident response to respond and manage the cyber-attacks.

Loginsoft Blog - Threat Detection with SIGMA Rules (1)

(Video) What Are Sigma Rules ? Why Is It IN Trend | IN Hindi

Source: researchgate.net


  1. Incident Detection is more difficult:
    Incident Response occurs in many different ways, which makes their identification more difficult. Like an un-authorized access to the resources of sensitive data, discrepancies in outgoing network traffic, configuration alterations and many other incidents go unnoticed.
  2. Threats are more complex and difficult to understand and analyze
    Incident response requires a vast range of skills, which include static and dynamic malware analysis, reverse engineering skills and forensic knowledge. In current situation, organizations are facing problem in finding the right experienced analyst, who can perform these complex operations.
  3. Alerts & incident volumes continue to increase steadily every year.
    On an average, every organization receives nearly 17000 alerts in a week, but most of the companies do not spend much time investigating these alerts. Many organizations also face challenges to optimize and prioritize the alerts.

The security teams detect these threats in real-time, manages incident response and performs forensic investigation at various points on the network.

SIEM solutions like ArcSight and Splunk enable analysts to gain a wide understanding of threats in their environment. This enables them to optimize the triage and remediation. Also speeds up the detection thus reducing the incident response time.

SIGMA is an open standard platform which defines the detections. It enables the re-use and sharing of analytics across various organizations.


Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner for SIEM system. This format is very flexible, easy to write and applicable to any type of log file.

Loginsoft Blog - Threat Detection with SIGMA Rules (2)

Source: owasp.org


  • Sigma supports several SIEM tools like Elasticsearch, IBM QRadar and Splunk. It is intended to handle log files similar to Snort which is for network traffic and YARA for files.
  • It enables analytics to re-use and share across the organizations.
  • High level generic language for analytics
  • The most reliable method such as solving logging signature problem
  • Plain text YAML files
  • Easy Schema

Supported Formats:

  • Splunk
  • QRadar
  • ArcSight
  • Elasticsearch (Elastalert, Query strings, DSL, Watcher, & Kibana)
  • Logpoint

Rule Format:

These rules specify detection signatures, which describes the searches on log data in generic form. Each rule specifies a set of conditions that are required to satisfy the detection condition.

Loginsoft Blog - Threat Detection with SIGMA Rules (3)


The following section explains the component attributes.

  • Title (Attribute: title): A title describes the detection rules.
  • Rule Identification (Attributes: id, related): Globally defined sigma rules that are based on a unique identifier in the id attribute.
  • Description (optional) (Attribute: description): This section, describes about the rule and malicious activity.
  • References (optional) (Attribute: reference): Provides a source of information in order to derive the rule.
  • Author (optional) (Attribute: author): The author of the rule.
  • Log Source (Attribute: logsource): This section describes the log source definition from the sigma rule.

It further contains 3 types of attributes that are discussed in the below section.

  • Product: Describes the product to match all the rules.
  • Service: It should be restricted to events where the field names are set to the product logs.
  • Category: This attribute allows you to select all log files that belongs to group of products.
  • Detection (Attribute: detection): In this section, the search values in specific fields of log data are listed in selections.
  • Condition (Attribute: condition): These selections are linked in a condition.
  • Level (Attribute: level): It describes the severity of matches, may be used for filtering the rules.

Generating SIGMA rule for CVE-2009-3898

Vulnerability Analysis:

Nginx is vulnerable to “Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal”). Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. Nginx before 0.7.63 and 0.8.x before 0.8.17, allows directory traversal and does not properly validate the directory traversal characters (../), an attacker can use these characters to move or copy files to different destination. Nginx enables WebDAV component that has permission to use the COPY and MOVE methods. This attack requires WebDAV “upload” permission.

We have downloaded the required version from here.

Now let’s get back to the detection through log analysis and below is the access log from the vulnerable version of 0.7.16. - - [20/May/2020:10:03:54 +0530] "COPY /index.html HTTP/1.1" 204 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0" - - [20/May/2020:11:59:16 +0530] "MOVE /index.html HTTP/1.1" 204 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"

And the error log from the fixed version of 0.7.17

2020/05/20 13:51:31 [error] 18762#0: *5 client sent invalid "Destination" header:
"http://localhost/../var/www/abc.html", client:, server: localhost, request: "COPY /index.html HTTP/1.1", host: "localhost"

2020/05/20 13:52:59 [error] 18762#0: *6 client sent invalid "Destination" header: "http://localhost/../var/www/abc.html", client:, server: localhost, request: "MOVE /index.html HTTP/1.1", host: "localhost"

From the above fixed and vulnerable logs, we can conclude the detection patterns as follows.

  • In this vulnerable section, the request does contain “COPY” or “MOVE” methods with 204 response code.
  • In this fixed section, the error log contains following message. ‘client sent invalid “Destination” header’

This is the key phase where the analysts can find difficulty to define the customized rules for any SIEM tools. Each SIEM products contain different signatures, so a generic signature needs to be written as a common rule for any SIEM tool. In such cases, we can use Sigma to define the rules for both fixed and vulnerable detection as a single pattern.

We have written the Sigma rules based on our above detection. Here, in our research, we will use the Sigma format to describe the detection in the YAML file.

Sigma Rule for CVE-2009-3898

 title: CVE-2009-3898 Exploitation Attemptid: cf98b0cf-0b0c-4af6-bd28-6cefabd58cf8status: experimentaldescription: Detects the exploit attempt for Path Traversal Vulnerabilityreferences: - https://www.exploit-db.com/exploits/9829author: Loginsoft Research unitdate: 2020/05/27logsource: product: nginx category: webserverdetection: selection: sc-status: 204 cs-method: - 'COPY' - 'MOVE' c-uri: '*index.html' keywords: - 'client sent invalid "Destination" header' condition: selection or keywordsfalsepositives: - Unknownlevel: medium

After writing the Sigma rule, we can use either uncoder or Sigmac to convert from the sigma rule to any other SIEM tool format.

  • uncoder is an open-source tool for SIEM search query language conversion.
  • Sigmac is a python command-line tool that performs the conversion from sigma rule to the target SIEM format.

In this section, we have used the uncoder tool and converted the rule from Sigma to Splunk query as below.

Splunk Query for CVE-2009-3898

 ((sourcetype="nginx:plus:access" uri_path="*index.html" status="204" (http_method="COPY" OR http_method="MOVE")) OR (sourcetype="nginx:plus:error" "client sent invalid \"Destination\" header")) 

Upon executing the above query, we will get the following the results.

Loginsoft Blog - Threat Detection with SIGMA Rules (4)

Challenges in Rule Conversion

  • Usage of different field names
    Field name mapping from sigma rule to SIEM specific names.
  • Rules refer to subsets of values which are environment-specific
    Use place holders

How is SIGMA useful in Incident Response?

Currently, there is a lack of a standardized description format to define the log format because there are several heterogeneous environments. SIGMA renders the rules into the queries that can be transformed into the equivalent rule for Splunk, ArcSight and many others.

The rule format is very flexible, easy to write and applicable to any type of log file. The main objective of SIGMA is to provide a free structured form in which developers or analysts can describe their detection methods and make it sharable.


What are sigma detection rules? ›

Sigma rules are textual signatures written in YAML that make it possible to detect anomalies in your environment by monitoring log events that can be signs of suspicious activity and cyber threats.

What is the difference between Yara and sigma rules? ›

Like YARA, or Snort Rules, Sigma is a tool for the open sharing and crowdsourcing of threat intelligence, it focuses on SIEM instead of files or network traffic. What Snort is to network traffic, and YARA is to files, Sigma is to logs.

What is sigma in threat hunting? ›

Sigma provides a standard format for log events, in the same way YARA creates a standard format for file threat IOCs. Sigma provides a common language for SIEM platforms and malware researchers to communicate. A Sigma rule is a YAML file with standardized sections and structured fields that all vendors utilize.

What is the sigma rule meme? ›

Sigma Rules memes are originated from the term sigma male that is used for a self reliant and independent men who becomes successful in life and lives his life with his own rules, Basically Sigma rule is a rule made by a sigma male who listens to himself only.

How many sigma rules are there in the world? ›

Today there exist currently two basic types of rules:

SIGMA Rules based on matching and simple correlations, limited support, less easy to write.

What is the number 1 sigma rule? ›

1 sigma is 1 standard deviation.

The 68-95-99.7 rule tells us that 68% of the population is between -1 and +1 sigma from the average; 95% is between -2 and +2 sigma from the average; and 99.7% is between -3 and +3 sigma from the average.

Who created sigma rules? ›

Six Sigma (6σ) is a set of techniques and tools for process improvement. It was introduced by American engineer Bill Smith while working at Motorola in 1986.

What is sigma rule in simple words? ›

Sigma is an open standard for rules that allow you to describe searches on log data in generic form. These rules can be converted and applied to many log management or SIEM systems and can even be used with grep on the command line.

What is the sigma Rule 69? ›

Rule of 69 is a general rule to estimate the time that is required to make the investment to be doubled, keeping the interest rate as a continuous compounding interest rate, i.e., the interest rate is compounding every moment.

What is the sigma Rule 5? ›


What is the sigma Rule 6? ›

Sigma Rule No. 6 "I CAN DIE SINGLE BUT, I WILL NEVER DIE POOR." Important lesson I've taught don't cry about your present worst conditions, to make changes work hard and hustle for it.

Which threat hunting technique is best? ›

Digital Forensics and Incident Response (DFIR)-based threat hunting is perhaps the most advanced of the cyber threat hunting techniques. It focuses on the identification, investigation and remediation of cyberattacks within a corporate environment.

What is the sigma Rule 33? ›

Association. (a) No yacht shall be entered on the Association Register as a Sigma 33 unless a Certificate has been issued in respect of such a yacht in accordance with the Measurement Rules.

What is sigma rules for female? ›

25 Traits of a Sigma Female
  • She's the Rare Lone Wolf Woman. ...
  • She's the Original Independent Woman. ...
  • She Keeps Her Standards High and Never Compromises Them. ...
  • She's Loyal. ...
  • She Eschews Societal Standards. ...
  • She's Assertive. ...
  • She's Authentic. ...
  • She Values Honesty.
17 Aug 2022

What is the purpose of sigma rule? ›

The main focus of Sigma rules is to detect log events matching criteria established by the SoC engineer. This is especially useful for creating Incident Response detection or automated responses.

Which country has sigma? ›

Sigma Corporation (株式会社シグマ, Kabushiki-gaisha Shiguma) is a Japanese company, manufacturing cameras, lenses, flashes and other photographic accessories. All Sigma products are produced in the company's own Aizu factory in Bandai, Fukushima, Japan.

What is the sigma Rule 4? ›

HumanSigma Rule #4. Employee Engagement Create a culture that ensures employees are involved, enthusiastic and highly productive in their work and workplace.

What is the sigma Rule 3? ›

In the empirical sciences, the so-called three-sigma rule of thumb (or 3σ rule) expresses a conventional heuristic that nearly all values are taken to lie within three standard deviations of the mean, and thus it is empirically useful to treat 99.7% probability as near certainty.

What sigma level is acceptable? ›

Usually, a process with a Sigma Level of 6 or greater is usually considered as an excellent process.

Is sigma better than Alpha? ›

Alpha male vs sigma male

Sigma and alpha males are equal and share many common characteristics. They're both confident in their life choices and aim high. The main difference lies in their attitude. Sigmas choose to sit outside the hierarchy, while Alphas prefer to be at the top of it.

Why is it called sigma? ›

It's called Six Sigma because the term sigma refers to one standard deviation in a data set. The idea is that six such deviations should occur before the process results in a defect.

Is Albert Einstein a sigma? ›

Notable alumni. More than 200 winners of the Nobel Prize have been Sigma Xi members, including Albert Einstein, Enrico Fermi, Linus Pauling, Francis Crick, James Watson, and John Goodenough.

What is the meaning of sigma Rule 525? ›

Answer: Sigma is an open standard for rules that allow you to describe searches on log data in generic form.

What is the rule of 72 and 69? ›

Just like Rule of 69, there is Rule of 72. However, the rule of 72 comes in handy in case of non-continuously or simple compounding interest.
Rule of 72 vs. Rule of 69.
Interest RateRule of 72 -No of YearsRule of 69-No of Years
14.50%6.25 Yrs6.35 Yrs
23.50%3.06 Yrs3.29 Yrs
2 more rows
2 Jun 2022

What percentage is 2.5 sigma? ›

Don't be so sure
σConfidence that result is real
1.5 σ93.32%
2 σ97.73%
2.5 σ99.38%
3 σ99.87%
3 more rows

What is the 8 sigma rule? ›

What is a Sigma rule, you may ask? A Sigma rule is a generic and open, YAML-based signature format that enables a security operations team to describe relevant log events in a flexible and standardized format.

What percentage is 6 sigma? ›

Six Sigma quality – Six Sigma performance produces a defect-free product 99.99966% of the time; allowing only 3.4 errors per one million opportunities.

What is the difference between 5 sigma and 6 sigma? ›

5S focuses on eliminating waste and inefficiencies in the workplace. This methodology can be applied to every department and action that takes place. On the other hand, Six Sigma is a process improvement strategy that eliminates defects by implementing standard processes, identifying problem areas, and more.

What are three common mistakes in Six Sigma? ›

5 Common Mistakes Of Six Sigma Deployment And Ways Of Avoiding Them
  • Mistake #1: Training and Certification Goals are enough. ...
  • Solutions. ...
  • Mistake #2: Indifferent Attitude of Leadership. ...
  • Solutions. ...
  • Problem # 3: Faulty Strategies for Six Sigma Deployment. ...
  • Solutions. ...
  • Problem #4: Incorrect Six Sigma Project Selection. ...
  • Solutions.
18 Jul 2016

What is the sigma Rule 57? ›

Sigma Rule #57: The world was built on wrong rules, decisions and ideologies. We all bleed the same blood, we're all so petty. No one is ever right, we just fail so much we realize what is wrong and avoid it.

What are the 3 types of hunting? ›

Environmental philosopher Gary Varner identifies three types of hunting: therapeutic, subsistence, and sport. Each type is distinguished by the purpose it is meant to serve. Therapeutic hunting involves intentionally killing wild animals in order to conserve another species or an entire ecosystem.

What is the hardest hunting? ›

Lions and leopards and other big cats like tigers, are some of the most challenging and dangerous animals to hunt. Both lions and leopards have exceptional night vision, shrewd intelligence, fearlessness, speed and agility. A lion can cover 100 yards in 3 to 4 seconds.

What is the sigma Rule 13? ›

Never admit your mistake. Even if you are wrong. In fact make the opponent believe that he is wrong.

What is the 2 sigma rule? ›

In a normal distribution, it is postulated that things that are true 68% of the time are considered 1-Sigma events. Things that are true 95% of the time are considered 2-Sigma events and the three-Sigma rule implies that heuristically nearly all values lie within three standard deviations of the mean (3-Sigma).

What is sigma Rule No 68? ›

The empirical rule, also referred to as the three-sigma rule or 68-95-99.7 rule, is a statistical rule which states that for a normal distribution, almost all observed data will fall within three standard deviations (denoted by σ) of the mean or average (denoted by µ).

Is a 3 sigma level good? ›

Common probability dictates that 99.73% of all outcomes will fall within 3 standard deviations of the mean (above or below); this is Three Sigma. For most purposes, this is a fine system. There are very few scenarios in daily life or most professions where 99.73% certainty or accuracy is not acceptable.

Can 2 alphas be together? ›

Some people think that the only way an alpha can thrive in a relationship is if they are paired with a beta. This is damaging as a rule of thumb. Two compatible alphas in a relationship make a power couple.

What is the sigma rule for men? ›

What is a sigma male? Sigma male is a slang term used in masculinist subcultures for a popular, successful, but highly independent and self-reliant man. Another term for a sigma male is a lone wolf.

What is sigma rule examples? ›

Sigma rules can be integrated into SIEM platforms and detect different events as they happen thus helping to detect and stop them before any further damage. For example we can create †rules to detect: unauthorized actions, web/resource access, file modification, process creation and much more.

What are detection rules? ›

Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security's Detection Engine. This repository was first announced on Elastic's blog post, Elastic Security opens public detection rules repo.

What is the 5 sigma rule? ›

In most cases, a five-sigma result is considered the gold standard for significance, corresponding to about a one-in-a-million chance that the findings are just a result of random variations; six sigma translates to one chance in a half-billion that the result is a random fluke.

What 3 sigma tells us? ›

Three-sigma limits is a statistical calculation where the data are within three standard deviations from a mean. In business applications, three-sigma refers to processes that operate efficiently and produce items of the highest quality.

Is the Sigma male real? ›

First of all, it is important to understand that sigma male is a made-up concept. In fact, it was simply thought up by a dissident right internet blogger called Vox Day (Theodore Beale) a decade ago.

Can sigma males have GF? ›

Yes, sigma males fall in love, and much like everything they do, they jump in with both feet. When they find their ideal match, someone who's independent, strong and confident, they will make their feelings known. They don't look for casual flings and instead look to build a strong bond.

What is an example of detection? ›

Detection is the act of noticing or discovering something. At the airport, you might see German Shepherds trained in the detection of drug smuggling or explosives in luggage.

What is method of detection? ›

The method detection limit (MDL) is the minimum concentration of a substance that can be measured and reported with 99% confidence that the analyte concentration is greater than zero and is determined from analysis of a sample in a given matrix containing the analyte [2].

Top Articles
Latest Posts
Article information

Author: Rubie Ullrich

Last Updated: 01/17/2023

Views: 5531

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Rubie Ullrich

Birthday: 1998-02-02

Address: 743 Stoltenberg Center, Genovevaville, NJ 59925-3119

Phone: +2202978377583

Job: Administration Engineer

Hobby: Surfing, Sailing, Listening to music, Web surfing, Kitesurfing, Geocaching, Backpacking

Introduction: My name is Rubie Ullrich, I am a enthusiastic, perfect, tender, vivacious, talented, famous, delightful person who loves writing and wants to share my knowledge and understanding with you.