sigma-tags-appendix.md

Sigma Tags

The following document defines the standardized tags that can be used to categorize the different Sigma rules.

• Version 2.1.0
• Release date 2024-08-11

Summary

• Summary
• Namespaces
  • Namespace: attack
  • Namespace: car
  • Namespace: cve
  • Namespace: d3fend
  • Namespace: detection
  • Namespace: stp
  • Namespace: tlp
• History

Namespaces

• attack: Categorization according to MITRE ATT&CK. To get the current supported version of ATT&CK please visit MITRE CTI
• car: Link to the corresponding MITRE Cyber Analytics Repository (CAR)
• cve: Categorization according MITRE CVE
• d3fend: Categorization according to MITRE D3FEND. To get the current supported version of D3FEND please visit D3FEND Ontology
• detection: Categorization according to the types of rules provided in the SigmaHQ rule repository.
• stp: Rating of detection analytic robustness according to the MITRE Summiting the Pyramid scheme.
• tlp: Traffic Light Protocol.

Namespace: attack

• t1234: Refers to a technique
• g1234: Refers to a group
• s1234: Refers to software

Tactics:

• initial-access: Initial Access
• execution: Execution
• persistence: Persistence
• privilege-escalation: Privilege Escalation
• defense-evasion: Defense Evasion
• credential-access: Credential Access
• discovery: Discovery
• lateral-movement: Lateral_Movement
• collection: Collection
• exfiltration: Exfiltration
• command-and-control: Command and Control
• impact: Impact

Namespace: car

Use the CAR tag from MITRE analytics repository without the prepending CAR-. Example tag: car.2016-04-005.

Namespace: cve

Use the CVE tag from MITRE in lower case separated by dots. Example tag: cve.2021-44228.

Namespace: d3fend

D3FEND is a knowledge base, and more specifically a knowledge graph, of cybersecurity countermeasure techniques. It is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques.

• d3-abc: Refers to a technique
• d3f-abc: Refers to an artifact

For example:

• d3fend.d3-am: Access Modeling
• d3fend.d3f-WindowsNtOpenFile: Windows NtOpenFile

Tactics:

• model: Model
• harden: Harden
• detect: Detect
• isolate: Isolate
• deceive: Deceive
• evict: Evict

Namespace: detection

Use the detection tag to indicate the type of a rule. Example tag: detection.threat-hunting.

The following tags are currently supported:

• detection.dfir
• detection.emerging-threats
• detection.threat-hunting

Namespace: stp

The Summiting the Pyramid scheme created by MITRE defines two score dimensions for scoring of the robustness:

• Analytic robustness between 1 and 5.
• Event robustness as Application, User-mode and Kernel-mode in ascending order of robustness-

Details for both dimensions are defined here.

The stp namespace allows to score the robustness of the detection implemented by a Sigma rule according to this scheme. Because the event robustness depends on the event log source that is an environmental property, Sigma allows to specify the robustness in the following ways:

• analytic-only defines just the analytic robustness in a tag like stp.4. This is usually appropriate for generic log sources like process_creation where it isn't possible to anticipate the robustness of the final log source.
• complete defines the whole score in a tag like stp.3k. Such a tag should be chosen if the detection refers to a concrete log source.

Namespace: tlp

All TLP levels defined by the FIRST TLP-SIG in lower case. Example tag: tlp.amber.

The following tags are currently supported:

• tlp.red
• tlp.amber
• tlp.amber-strict
• tlp.green
• tlp.clear

History

• 2024-08-11 Tags Appendix v2.1.0
  • Add mitre d3fend namespace
• 2024-08-08 Tags Appendix v2.0.0
• 2023-11-23 Tags Appendix v1.2.0
  • Add Summiting the Pyramid
• 2023-06-20 Tags Appendix v1.1.0
  • Add detection namespace
• 2022-12-19 Tags Appendix v1.0.1
  • Minor updates and tweaks
• 2022-09-18 Tags Appendix v1.0.0
  • Initial formalization from the sigma wiki
• 2017 Sigma creation