The table contains basic information about the attributes and sections of a Sigma rule, which are interpreted by Kaspersky Industrial CyberSecurity for Nodes. For more detailed information, follow this link.
Attribute values are case-sensitive. For example, Kaspersky Industrial CyberSecurity for Nodes treats the names of the executable files AnyDesk.exe and anyDesk.exe as different.
Attribute / Section
|
Required
|
Description
|
title
|
Yes
|
The rule name, which indicates what it detects. The maximum length is 256 characters.
For example:
title: Creation of a new RAT service
|
id
|
No
|
The rule's globally unique identifier. For example:
id: 929a690e-bef0-4204-a928-ef5e620d6fcc
|
status
|
No
|
Rule status. Possible values: stable, test, experimental, deprecated, unsupported.
For example:
status: test
|
description
|
No
|
A description of the rule and the malicious activity it can detect. The maximum length is 65,535 characters.
For example:
description: Detects the installation of a new Remote Utilities host application service.
|
license
|
No
|
License ID according to the SPDX ID specification. The rule is published under the terms of the specified license type.
|
author
|
No
|
Any specifier that indicates the author of the rule. For example, first name and last name, nickname, social network ID.
|
reference
|
No
|
Link to the source the rule was taken from. For example, a blog article or white paper.
|
date
|
No
|
Date when the rule was created in YYYY/MM/DD format.
|
modified
|
No
|
Date in YYYY/MM/DD format when one of the following rule attributes was changed: title, status, logsource, detection, level.
|
tags
|
No
|
Tag for categorizing the rule. Read more at this link.
|
logsource
|
Yes
|
In this section, you can define the source of events that the application will search for anomalies. The main attributes of this section are category, product, and service.
Event sources that Kaspersky Industrial CyberSecurity for Nodes supports
Event sources supported by Kaspersky Industrial CyberSecurity for Nodes
Source (logsource)
|
Event
|
category: process_creation
product: windows
|
Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal process startup event that corresponds in content to EventID 1 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields.
|
category: driver_load
product: windows
|
Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal driver load event that corresponds in content to EventID 6 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields.
|
category: image_load
product: windows
|
Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal event that corresponds in content to EventID 7 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields.
|
category: registry_event
product: windows
|
Kaspersky Industrial CyberSecurity for Nodes analyzes instances of internal events that correspond in content to the events EventID 12, EventID 13, and EventID 14 in the Microsoft-Windows-Sysmon/Operational log and are enriched by Kaspersky Industrial CyberSecurity for Nodes fields.
|
category: dns_query
product: windows
|
Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal event that corresponds in content to EventID 22 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields.
|
category: file_rename
product: windows
|
Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal event that corresponds in content to an event in the log of the Windows trace service provider Microsoft-Windows-Kernel-File and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields.
|
category: file_event
product: windows
|
Kaspersky Industrial CyberSecurity for Nodes analyzes instances of an internal event that corresponds in content to EventID 11 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Industrial CyberSecurity for Nodes fields.
|
product: windows
service: application
|
Kaspersky Industrial CyberSecurity for Nodes analyzes events from the WEL/Application log.
|
product: windows
service: security
|
Kaspersky Industrial CyberSecurity for Nodes analyzes events from the WEL/Security log.
|
product: windows
service: system
|
Kaspersky Industrial CyberSecurity for Nodes analyzes events from the WEL/System log.
|
category: chronicle_journal
product: deltav
|
Kaspersky Industrial CyberSecurity for Nodes analyzes instances of internal events associated with normalized data from the event logs of the Emerson DeltaV system.
Source events are not linked to external event logs.
|
product: windows
service: powershell-classic
|
Kaspersky Industrial CyberSecurity for Nodes analyzes events from the Windows PowerShell log.
|
product: windows
service: powershell
|
Kaspersky Industrial CyberSecurity for Nodes analyzes events from the Microsoft-Windows-PowerShell/Operational log.
|
In Microsoft Windows 7, for category: dns_query, service: powershell-classic, service: powershell providers, you some internal events are missing, or some fields or necessary data may be missing in events. As a result, Sigma rules may not trigger.
Read more at this link.
|
category
|
No
|
Defines the category of products whose event logs the application searches for anomalies. For example: firewall, internet, anti-virus, or generic.
logsource:
category: firewall
|
product
|
No
|
Defines the software product or operating system whose event logs the application searches for anomalies. For example:
logsource:
product: Windows
|
service
|
No
|
Defines a service whose event logs the application searches for anomalies. For example:
logsource:
service: AppLocker
|
definition
|
No
|
Description of the specifics of the source of event logs that application searches for anomalies.
|
detection
|
Yes
|
This section contains one or more criteria for searching for anomalies in event logs and a rule triggering condition. Lists, dictionaries, or a combination of them can be used as search criteria.
Kaspersky Industrial CyberSecurity for Nodes does not support the windash value modifier.
|
list
|
No
|
A list of the values of any parameter from the event log, combined by a logical OR. For example:
detection:
selection:
OriginalFileName:
- 'AnyDesk.exe'
- 'TeamViewer.exe'
condition: selection
In accordance with the condition, the following matches will be searched: OriginalFileName='AnyDesk.exe' OR OriginalFileName='TeamViewer.exe'.
|
dictionary
|
No
|
event log parameter - value pairs. They are connected by a logical AND. For example:
detection:
selection:
EventLog: Security
EventID: 517
condition: selection
In accordance with the condition, the following matches will be searched: EventLog='Security' AND Event ID=517.
|
combination of list and dictionary
|
No
|
A list consisting of event log settings values and dictionaries. For example:
detection:
selection:
EventLog: Security
EventID:
- 517
- 1102'
condition: selection
In accordance with the condition, the following matches will be searched: EventLog='Security' AND (Event ID=517 OR Event ID=1102)
|
condition
|
Yes
|
Rule triggering condition. For example:
detection:
selection:
EventLog: Security
condition: selection
|
fields
|
No
|
Lines from the event log that may be of interest to an analyst for subsequent analysis of the event.
|
falsepositives
|
No
|
List of known scenarios that may incorrectly trigger the rule. For example:
falsepositives:
- Use of a utility by system administrators
|
level
|
No
|
An indicator of the severity of anomalies that can be found using the rule. Possible values: informational, low, medium, high, critical.
|