Adding Sigma rules to a custom collection

To add Sigma rules to a custom collection:

1. Do one of the following:
   • for a group of protected devices, open the application policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
   • for an individual protected device, open the application settings for the device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device for which you want to configure application settings.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the Kaspersky Endpoint Agent window that opens, select the Application settings tab.
2. In the Anomaly Detection using Sigma rules section, use the check box next to the collection name to select a custom collection of Sigma rules that you want to add one or more Sigma rules to.
3. Click Add.

   The Modifying the collection rules window opens.

4. Add Sigma rules in any of the following ways:
   • Manually:
     1. Click the Add button.

        The Changing the Sigma rule window opens.

     2. In the editor form, describe the rule in Sigma format.

        The table contains basic information about the attributes and sections of a Sigma rule, which are interpreted by Kaspersky Endpoint Agent. For more detailed information, follow this link.

        Attribute values are case-sensitive. For example, Kaspersky Endpoint Agent treats the names of the executable files AnyDesk.exe and anyDesk.exe as different.

        Sigma rule structure

        Attribute / Section	Required	Description
        title	Yes	The rule name, which indicates what it detects. The maximum length is 256 characters. For example: title: Creation of a new RAT service
        id	No	The rule's globally unique identifier. For example: id: 929a690e-bef0-4204-a928-ef5e620d6fcc
        status	No	Rule status. Possible values: stable, test, experimental, deprecated, unsupported. For example: status: test
        description	No	A description of the rule and the malicious activity it can detect. The maximum length is 65,535 characters. For example: description: Detects the installation of a new Remote Utilities host application service.
        license	No	License ID according to the SPDX ID specification. The rule is published under the terms of the specified license type.
        author	No	Any specifier that indicates the author of the rule. For example, first name and last name, nickname, social network ID.
        reference	No	Link to the source the rule was taken from. For example, a blog article or white paper.
        date	No	Date when the rule was created in YYYY/MM/DD format.
        modified	No	Date in YYYY/MM/DD format when one of the following rule attributes was changed: title, status, logsource, detection, level.
        tags	No	Tag for categorizing the rule. Read more at this link.
        logsource	Yes	In this section, you can define the source of events that the application will search for anomalies. The main attributes of this section are category, product, and service. Event sources that Kaspersky Endpoint Agent supports Event sources supported by Kaspersky Endpoint Agent   Source (logsource) Event category: process_creation product: windows Kaspersky Endpoint Agent analyzes instances of an internal process startup event that corresponds in content to EventID 1 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. category: driver_load product: windows Kaspersky Endpoint Agent analyzes instances of an internal driver load event that corresponds in content to EventID 6 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. category: image_load product: windows Kaspersky Endpoint Agent analyzes instances of an internal event that corresponds in content to EventID 7 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. category: registry_event product: windows Kaspersky Endpoint Agent analyzes instances of internal events that correspond in content to the events EventID 12, EventID 13, and EventID 14 in the Microsoft-Windows-Sysmon/Operational log and are enriched by Kaspersky Endpoint Agent fields. category: dns_query product: windows Kaspersky Endpoint Agent analyzes instances of an internal event that corresponds in content to EventID 22 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. category: file_rename product: windows Kaspersky Endpoint Agent analyzes instances of an internal event that corresponds in content to an event in the log of the Windows trace service provider Microsoft-Windows-Kernel-File and is enriched by Kaspersky Endpoint Agent fields. category: file_event product: windows Kaspersky Endpoint Agent analyzes instances of an internal event that corresponds in content to EventID 11 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. product: windows service: application Kaspersky Endpoint Agent analyzes events from the WEL/Application log. product: windows service: security Kaspersky Endpoint Agent analyzes events from the WEL/Security log. product: windows service: system Kaspersky Endpoint Agent analyzes events from the WEL/System log. category: chronicle_journal product: deltav Kaspersky Endpoint Agent analyzes instances of internal events associated with normalized data from the event logs of the Emerson DeltaV system. Source events are not linked to external event logs. product: windows service: powershell-classic Kaspersky Endpoint Agent analyzes events from the Windows PowerShell log. product: windows service: powershell Kaspersky Endpoint Agent analyzes events from the Microsoft-Windows-PowerShell/Operational log.   Read more at this link.
        category	No	Defines the category of products whose event logs the application searches for anomalies. For example: firewall, internet, anti-virus, or generic. logsource: category: firewall
        product	No	Defines the software product or operating system whose event logs the application searches for anomalies. For example: logsource: product: Windows
        service	No	Defines a service whose event logs the application searches for anomalies. For example: logsource: service: AppLocker
        definition	No	Description of the specifics of the source of event logs that application searches for anomalies.
        detection	Yes	This section contains one or more criteria for searching for anomalies in event logs and a rule triggering condition. Lists, dictionaries, or a combination of them can be used as search criteria. Kaspersky Endpoint Agent does not support windash modifier.
        list	No	A list of the values of any parameter from the event log, combined by a logical OR. For example: detection: selection: OriginalFileName: - 'AnyDesk.exe' - 'TeamViewer.exe' condition: selection In accordance with the condition, the following matches will be searched: OriginalFileName='AnyDesk.exe' OR OriginalFileName='TeamViewer.exe'.
        dictionary	No	event log parameter - value pairs. They are connected by a logical AND. For example: detection: selection: EventLog: Security EventID: 517 condition: selection In accordance with the condition, the following matches will be searched: EventLog='Security' AND Event ID=517.
        combination of list and dictionary	No	A list consisting of event log settings values and dictionaries. For example: detection: selection: EventLog: Security EventID: - 517 - 1102' condition: selection In accordance with the condition, the following matches will be searched: EventLog='Security' AND (Event ID=517 OR Event ID=1102)
        condition	Yes	Rule triggering condition. For example: detection: selection: EventLog: Security condition: selection
        fields	No	Lines from the event log that may be of interest to an analyst for subsequent analysis of the event.
        falsepositives	No	List of known scenarios that may incorrectly trigger the rule. For example: falsepositives: - Use of a utility by system administrators
        level	No	An indicator of the severity of anomalies that can be found using the rule. Possible values: informational, low, medium, high, critical.

     3. Click OK.

        The described Sigma rule will be displayed in the list of rules in the collection. The rule is enabled by default (the toggle button to the left of the rule name is in the Enabled position).

     4. Repeat steps a-c for each rule being manually added.
   • From files:
     1. Click the Add files button.
     2. In the window that opens, select one or more YAML files that describe Sigma rules.
     3. Click Open.

        Sigma rules described in YAML files will be displayed in the list of rules in the collection. Rules are enabled by default (the toggle switches to the left of the rule names are in the Enabled position).

        If a Sigma rule contains syntax errors or if mandatory attributes are missing, the rule will not be added to the collection.

5. Click OK.

See also Exporting and importing Sigma rules of a custom collection

Page top