This functionality is available on computers running Windows 7 or later or Windows Server 2008 R2 or later, if there is an active Kaspersky Endpoint Agent license key with the EDR Optimum and ICS Telemetry licensed objects.
Sigma is a format for describing anomaly detection rules that Kaspersky Endpoint Agent uses to analyze data from internal events and event logs. Rules written in Sigma format are called Sigma rules. Each Sigma rule is stored in a separate YAML file.
Sigma rules are written in YAML and have a unified structure. This allows specially created converters to generate rules in the syntax of various SIEM systems based on Sigma rules.
The table contains basic information about the attributes and sections of a Sigma rule, which are interpreted by Kaspersky Endpoint Agent. For more detailed information, follow this link.
Attribute values are case-sensitive. For example, Kaspersky Endpoint Agent treats the names of the executable files AnyDesk.exe and anyDesk.exe as different.
Sigma rule structure
Attribute / Section |
Required |
Description |
||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Yes |
The rule name, which indicates what it detects. The maximum length is 256 characters. For example:
|
||||||||||||||||||||||||||||
|
No |
The rule's globally unique identifier. For example:
|
||||||||||||||||||||||||||||
|
No |
Rule status. Possible values: For example:
|
||||||||||||||||||||||||||||
|
No |
A description of the rule and the malicious activity it can detect. The maximum length is 65,535 characters. For example:
|
||||||||||||||||||||||||||||
|
No |
License ID according to the SPDX ID specification. The rule is published under the terms of the specified license type. |
||||||||||||||||||||||||||||
|
No |
Any specifier that indicates the author of the rule. For example, first name and last name, nickname, social network ID. |
||||||||||||||||||||||||||||
|
No |
Link to the source the rule was taken from. For example, a blog article or white paper. |
||||||||||||||||||||||||||||
|
No |
Date when the rule was created in YYYY/MM/DD format. |
||||||||||||||||||||||||||||
|
No |
Date in YYYY/MM/DD format when one of the following rule attributes was changed: |
||||||||||||||||||||||||||||
|
No |
Tag for categorizing the rule. Read more at this link. |
||||||||||||||||||||||||||||
|
Yes |
In this section, you can define the source of events that the application will search for anomalies. The main attributes of this section are Event sources that Kaspersky Endpoint Agent supports Event sources supported by Kaspersky Endpoint Agent
Read more at this link. |
||||||||||||||||||||||||||||
|
No |
Defines the category of products whose event logs the application searches for anomalies. For example: firewall, internet, anti-virus, or generic.
|
||||||||||||||||||||||||||||
|
No |
Defines the software product or operating system whose event logs the application searches for anomalies. For example:
|
||||||||||||||||||||||||||||
|
No |
Defines a service whose event logs the application searches for anomalies. For example:
|
||||||||||||||||||||||||||||
|
No |
Description of the specifics of the source of event logs that application searches for anomalies. |
||||||||||||||||||||||||||||
|
Yes |
This section contains one or more criteria for searching for anomalies in event logs and a rule triggering condition. Lists, dictionaries, or a combination of them can be used as search criteria. |
||||||||||||||||||||||||||||
|
No |
A list of the values of any parameter from the event log, combined by a logical OR. For example:
In accordance with the condition, the following matches will be searched: |
||||||||||||||||||||||||||||
|
No |
event log parameter - value pairs. They are connected by a logical AND. For example:
In accordance with the condition, the following matches will be searched: EventLog='Security' AND Event ID=517. |
||||||||||||||||||||||||||||
|
No |
A list consisting of event log settings values and dictionaries. For example:
In accordance with the condition, the following matches will be searched: EventLog='Security' AND (Event ID=517 OR Event ID=1102) |
||||||||||||||||||||||||||||
|
Yes |
Rule triggering condition. For example:
|
||||||||||||||||||||||||||||
|
No |
Lines from the event log that may be of interest to an analyst for subsequent analysis of the event. |
||||||||||||||||||||||||||||
|
No |
List of known scenarios that may incorrectly trigger the rule. For example:
|
||||||||||||||||||||||||||||
|
No |
An indicator of the severity of anomalies that can be found using the rule. Possible values: |
title: Downloading files using CertUtil.exe
id: 89346938-3b2f-46c7-bb38-b9f244e3fad0
status: test
description: Detects file downloads using CertUtil.exe.
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
author: Kaspersky
date: 2024-05-22
tags:
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Legitimate actions of the system administrator.
level: low
A collection of Sigma rules is a set of Sigma rules that define similar events.
Kaspersky Endpoint Agent analyzes data from internal events and event logs to find anomalies using collections of Kaspersky-supplied Sigma rules and the application databases, and using collections of Sigma rules created by the user.
|
See also |