Support for Sigma rules

RuleSmith natively supports rules written in Sigma, including

Prerequisites

You've installed the RuleSmith GitHub app in your detection rules repository.
You have some of your own Sigma rules, or are using some from the community ruleset.

Creating a Sigma ruleset

Rulesets are how you define groups of detections rules and configure which linters are enforced. RuleSmith will auto-detect any Sigma rules in your repositories and use its default configuration for linting them.

To customise the standards that are enforced for your Sigma rules, you need to create a ruleset.

Rulesets are defined by .rulesmith/ruleset_name.yml files in your detection rule repository. By storing them in your repository, this ensures they go through the same validation and approval process as your detection rules. A Sigma ruleset can be defined like this:

# .rulesmith/ruleset_name.yml
name: My Sigma Ruleset
kind: sigma

# customise which files are included using .gitignore syntax
files: |
  *.yml
  !experimental/

# enable linters
yamllint:
  # this enables yamllint with default config

sigmafmt:
  disable:
    - title-length # don't enforce title length limits

See the rulesets documentation for more configuration options which apply to all rule types.

Metadata extracted from Sigma rules

title
description
tags
mitre attack

Available checks for Sigma rules

json_schema Default

The Sigma project defines a JSON Schema for detection rules, specifying the valid field names and their types (for example, the modified field should be a date formatted YYYY-MM-DD).

Even though Sigma rules are written in YAML, a JSON schema is still used to validate them. The YAML rule is first converted to JSON and then validated.

The json_schema check is enabled by default and uses the latest schema definition from the SigmaHQ/sigma-specification repo.

You can also use a custom schema definition like so:

json_schema:
  schema_file: path/to/file/within/repo.json

Disabling json_schema

To disable the json_schema check, set the disabled flag:

json_schema:
  disabled: true

yamllint Default Open source

Because Sigma rules are based on the YAML format, you can use yamllint (a linter for generic YAML files) to enforce basic formatting consistency of your sigma rules.

yamllint is enabled by default and uses the configuration from the upstream SigmaHQ project. You can use your own configuration by setting the config_file property:

yamllint:
  config_file: path/to/custom/config.yml

Refer to the yamllint documentation regarding the available options for this file.

Disabling yamllint

To disable the yamllint entirely, set the disabled flag:

yamllint:
  disabled: true