CrowdAlert Sigma Rules

A repository of Sigma detection rules used by CrowdAlert

How to use the rules:

Using the native SigmaHQ converter: https://github.com/SigmaHQ/sigma
In your own code with pySigma: https://pypi.org/project/pySigma
Using SOC Prime online Sigma converter: https://uncoder.io/
Using the SOC Prime free Kibana plugin: https://github.com/socprime/SigmaUI

These will appear in the rules' custom_attributes fields to be used in a Sigma backend compiler

logsource
- schema: the normalization schema to be applied to the log before detection rules are evaluated. eg OCSF
risk: a dict field intended for more expressive control over risk scoring and objects than high/medium/low allows. for instance score to indicate a numerical risk score for use in risk-based alerting
message: a message to display to the analyst or user receiving an alert. May use moustache ({{ }}) template delimiters to reference fields within the log event

Rules are found in the rules folder and generally follow SigmaHQ filename conventions

Where a logsource may contain multiple vendor products, the filename pattern appends the product in the prefix. For example aws_ec2_*

Name		Name	Last commit message	Last commit date
Latest commit History 9 Commits
.github/workflows		.github/workflows
rules/cloud		rules/cloud
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md