Adding Sigma rules to a custom collection

To add Sigma rules to a custom collection:

1. In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
2. Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.

   The policy properties window opens.

3. Select the Application settings tab.
4. In the Anomaly Detection using Sigma rules section, use the check box next to the collection name to select a custom collection of Sigma rules that you want to add one or more Sigma rules to.
5. Click Edit.

   The Changing the Sigma rules collection window opens.

6. Add Sigma rules in any of the following ways:
   • Manually:
     1. Click Add.

        The Changing the Sigma rule window opens.

     2. In the editor form, describe the rule in Sigma format.

        The table contains basic information about the attributes and sections of a Sigma rule, which are interpreted by Kaspersky Industrial CyberSecurity for Nodes. For more detailed information, follow this link.

        Attribute values are case-sensitive. For example, Kaspersky Industrial CyberSecurity for Nodes treats the names of the executable files AnyDesk.exe and anyDesk.exe as different.

        Sigma rule structure

        Attribute / Section	Required	Description
        title	Yes	The rule name, which indicates what it detects. The maximum length is 256 characters. For example: title: Creation of a new RAT service
        id	No	The rule's globally unique identifier. For example: id: 929a690e-bef0-4204-a928-ef5e620d6fcc
        status	No	Rule status. Possible values: stable, test, experimental, deprecated, unsupported. For example: status: test
        description	No	A description of the rule and the malicious activity it can detect. The maximum length is 65,535 characters. For example: description: Detects the installation of a new Remote Utilities host application service.
        license	No	License ID according to the SPDX ID specification. The rule is published under the terms of the specified license type.
        author	No	Any specifier that indicates the author of the rule. For example, first name and last name, nickname, social network ID.
        reference	No	Link to the source the rule was taken from. For example, a blog article or white paper.
        date	No	Date when the rule was created in YYYY/MM/DD format.
        modified	No	Date in YYYY/MM/DD format when one of the following rule attributes was changed: title, status, logsource, detection, level.
        tags	No	Tag for categorizing the rule. Read more at this link.
        logsource	Yes	In this section, you can define the source of events that the application will search for anomalies. The main attributes of this section are category, product, and service. Event sources that Kaspersky Industrial CyberSecurity for Nodes supports Event sources supported by Kaspersky Industrial CyberSecurity for Nodes   Source (logsource) Event category: process_creation product: windows Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal process startup event that corresponds in content to EventID 1 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields. category: driver_load product: windows Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal driver load event that corresponds in content to EventID 6 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields. category: image_load product: windows Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal event that corresponds in content to EventID 7 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields. category: registry_event product: windows Kaspersky Industrial CyberSecurity for Nodes analyzes instances of internal events that correspond in content to the events EventID 12, EventID 13, and EventID 14 in the Microsoft-Windows-Sysmon/Operational log and are enriched by Kaspersky Industrial CyberSecurity for Nodes fields. category: dns_query product: windows Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal event that corresponds in content to EventID 22 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields. category: file_rename product: windows Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal event that corresponds in content to an event in the log of the Windows trace service provider Microsoft-Windows-Kernel-File and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields. category: file_event product: windows Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal event that corresponds in content to EventID 11 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields. product: windows service: application Kaspersky Industrial CyberSecurity for Nodes analyzes events from the WEL/Application log. product: windows service: security Kaspersky Industrial CyberSecurity for Nodes analyzes events from the WEL/Security log. product: windows service: system Kaspersky Industrial CyberSecurity for Nodes analyzes events from the WEL/System log. category: chronicle_journal product: deltav Kaspersky Industrial CyberSecurity for Nodes analyzes instances of internal events associated with normalized data from the event logs of the Emerson DeltaV system. Source events are not linked to external event logs. product: windows service: powershell-classic Kaspersky Industrial CyberSecurity for Nodes analyzes events from the Windows PowerShell log. product: windows service: powershell Kaspersky Industrial CyberSecurity for Nodes analyzes events from the Microsoft-Windows-PowerShell/Operational log. In Microsoft Windows 7, for category: dns_query, service: powershell-classic, service: powershell providers, you some internal events are missing, or some fields or necessary data may be missing in events. As a result, Sigma rules may not trigger. Read more at this link.
        category	No	Defines the category of products whose event logs the application searches for anomalies. For example: firewall, internet, anti-virus, or generic. logsource: category: firewall
        product	No	Defines the software product or operating system whose event logs the application searches for anomalies. For example: logsource: product: Windows
        service	No	Defines a service whose event logs the application searches for anomalies. For example: logsource: service: AppLocker
        definition	No	Description of the specifics of the source of event logs that application searches for anomalies.
        detection	Yes	This section contains one or more criteria for searching for anomalies in event logs and a rule triggering condition. Lists, dictionaries, or a combination of them can be used as search criteria. Kaspersky Industrial CyberSecurity for Nodes does not support the windash value modifier.
        list	No	A list of the values of any parameter from the event log, combined by a logical OR. For example: detection: selection: OriginalFileName: - 'AnyDesk.exe' - 'TeamViewer.exe' condition: selection In accordance with the condition, the following matches will be searched: OriginalFileName='AnyDesk.exe' OR OriginalFileName='TeamViewer.exe'.
        dictionary	No	event log parameter - value pairs. They are connected by a logical AND. For example: detection: selection: EventLog: Security EventID: 517 condition: selection In accordance with the condition, the following matches will be searched: EventLog='Security' AND Event ID=517.
        combination of list and dictionary	No	A list consisting of event log settings values and dictionaries. For example: detection: selection: EventLog: Security EventID: - 517 - 1102' condition: selection In accordance with the condition, the following matches will be searched: EventLog='Security' AND (Event ID=517 OR Event ID=1102)
        condition	Yes	Rule triggering condition. For example: detection: selection: EventLog: Security condition: selection
        fields	No	Lines from the event log that may be of interest to an analyst for subsequent analysis of the event.
        falsepositives	No	List of known scenarios that may incorrectly trigger the rule. For example: falsepositives: - Use of a utility by system administrators
        level	No	An indicator of the severity of anomalies that can be found using the rule. Possible values: informational, low, medium, high, critical.

     3. Click OK.

        The described Sigma rule will be displayed in the list of rules in the collection. The rule is enabled by default (the toggle button to the left of the rule name is in the Enabled position).

     4. Repeat steps a-c for each rule being manually added.
   • From files:
     1. Click Add file.
     2. In the window that opens, select one or more YAML files that describe Sigma rules.
     3. Click Open.

        Sigma rules described in YAML files will be displayed in the list of rules in the collection. Rules are enabled by default (the toggle switches to the left of the rule names are in the Enabled position).

        If a Sigma rule contains syntax errors or if mandatory attributes are missing, the rule will not be added to the collection.

7. Click OK.

Page top