Sigma Rules

Sigma is an open source project that aims at creating a generic query language for security and D&R rules. It looks up known anomalies and Common Vulnerabilities and Exposures (CVEs).

Many people use Sigma as the community tends to respond quickly, but also puts interesting anomalies often in there.

In LimaCharlie, you can subscribe to the hundreds of rules that are a part of Sigma, for free. Every 15 minutes we re-process those rules in your organization; there's no management required, it just happens.

Rules converted are available here.

You can also follow an RSS feed of changes to the rules rep here.

Enabling Sigma

To enable the Sigma rules, you want to navigate to the Add-ons section and search for Sigma in the search bar.

Under the Organization dropdown, select a tenant (organization) you want to subscribe to Sigma rules and click Subscribe:

Please note that add-ons are applied on the per-tenant basis. If you have multiple organizations you want to subscribe to Sigma, you will need to subscribe each organization to the add-on separately.

You can also manage add-ons from the Subscriptions menu under Billing.

Tenants that have been subscribed to the add-on, will be marked with a green check mark in the Organization dropdown.

Please note that some Sigma rules on Windows rely on Windows Event Logs that are not collected by LimaCharlie by default. In order to leverage these you will need to configure an automated collection of relevant Windows Event Logs through the Artifact Collection service.

Identifying Sigma Rule Hits

To identify the source of the detection, click on the detection details where you will be able to see the author field. It contains the identity (email or key name) of the entity that created the rule.

Detections that come in through a managed Sigma rule will have the author listed as _sigma.