Learn what's possible in SIEM Rules
SIEM Rules allows you to create and modify rules in the open-source Sigma format.
You can read more about Sigma rules and how they are constructed in the Sigma repository on GitHub:
We have also created a short series of posts you might find useful if you are new to the Sigma format:
At a minimum the following fields must be defined for a Rule:
However, it is strongly recommended to include more fields to improve the quality of your Rule.
SIEM Rules Create a Rule
Once you've created a Rule in Sigma format in the SIEM Rules user interface, it can be converted to another backend schema.
SIEM Rules Backend Conversions
You can view the available backend schemas for conversion in the SIEM Rules user interface or via the API.
Note: due to the way Rules can be constructed, not all Rules can be converted to every backend type. If this is the case, you will see this message returned:
This format is not supported for this rule.
Each rule has a unique version. Newly created (or Cloned) Rules always start at v1.0.
SIEM Rules versioning
SIEM Rules implements a major and minor version system. You can define what a major and minor update should be when editing a rule, as a general idea we recommend to use a
- major update: when updating detection or logsource content
- minor update: when updating metadata of the rule, like description or falsepositive values
The user interface and API will always show the latest version of the rule by default, but you can view earlier versions as you wish.
It is possible to copy (Clone) a Rule. You can Clone any rule that is visible to you in the user interface of SIEM Rules.
You can clone any version of a Rule.
SIEM Rules clone rule
When cloning a rule you can choose wether it should be public or private (visibility).
When a rule has been Cloned, it will start from version 1.0 as if it was created from new, with any version history lost.
Rules can be grouped into Theme. A Theme can represent anything you want, bit generally Themes are collections of Rules based a certain topic (e.g. campaign or too).
Themes can contain any public Rule, or private Rules belonging to your Group.
SIEM Rules themes
Themes can be set to be:
- Public (default):
- anyone can view (including unauthenticated users)
- can contain any public Rule
- Private (if plan supported)
- only Group members can view
- can contain any public Rule (will not be visible to anyone outside your Group)
- can contain a private rule from your group (will not be visible to anyone outside your Group)
Note, visibility cannot be changes once the Theme has been created.
SIEM Rules Theme
To create a Theme you can set the following fields:
- Title (required)
- Description (optional)
- Tags (optional)
- Visibility (required)
You can add a Rule to a Theme on the individual Rule page.
Add a Rule to a Theme
Choose the Theme (must already exist) from the dropdown Theme menu and select "add to Theme".