search

SigmaHQ / sigma-specification

Sigma rule specification
Other
111 stars 40 forks source link

Update V2.0.0 correlation section #112

Closed frack113 closed 10 months ago

frack113 commented 11 months ago

Warning This PR is only for the Correlation rules section.

The meta-rule-schema.json file in progress

Res260 commented 11 months ago

Hello @frack113, I'm aware that this is a draft PR, but after reading its content, I feel the need to ask: has a choice been made yet regarding generate/silent/default to informational?

If not: please consider not going the "default to informational" route. Defining level behaviors in the specification is useful for a common rule repository like sigmahq/sigma, but makes less sense to apply it to every sigma users.

Internally, we have two types of rules: indicators and normal rules. Indicators are used for contextualization of assets and are correlated together to risk-score assets. The normal rule trigger individual alerts. With the "default to informational" proposal, it would make for a very awkward solution, in my opinion.

Sorry if this is not the place for such comment, I didn't know where to write it. Thanks for your work, can't wait for correlations! :)

phantinuss commented 11 months ago

Hello @frack113, I'm aware that this is a draft PR, but after reading its content, I feel the need to ask: has a choice been made yet regarding generate/silent/default to informational?

If not: please consider not going the "default to informational" route. Defining level behaviors in the specification is useful for a common rule repository like sigmahq/sigma, but makes less sense to apply it to every sigma users.

Internally, we have two types of rules: indicators and normal rules. Indicators are used for contextualization of assets and are correlated together to risk-score assets. The normal rule trigger individual alerts. With the "default to informational" proposal, it would make for a very awkward solution, in my opinion.

Sorry if this is not the place for such comment, I didn't know where to write it. Thanks for your work, can't wait for correlations! :)

@Res260: Thanks for your input. We came also to that conclusion in internal discussion and it definitely won't be pinned to the level of a rule. The rest is still open to discussion though.