Normalization of rule names

[frack113]

Hello,
As now there are linux sysmon, laurel, agents with ETW... I would like to put some order in the name of rules.

The names are 70 characters long.
For process_creation, there are several patterns in the current folders.

I think like normalization :

• (win/lnx/macos)_process_creation_ -> 48 chars left
• (win/lnx/macos)_pc_ ->61 chars left

Keep the start_pattern _susp_ end of the name file (ex win_susp_rclone_execution.yml)

file_event, network_connection are allready in win,lnx and macos too

[wagga40]

Hi @frack113,

I think you should be careful with the shortening of some names. Think to all the new people coming in the sigma world, reading "pc" instead of "process_creation" won't be easy to grasp at first. For the more experienced, it can also be quite painful to read something like "lnx_pc_wrg_prv_mal_xxx_zzz" (voluntarily bad example), because the more we shorten things the more we want to continue shortening :) It's a little bit extreme but you get the point.

My key argument here is that, we must keep the rule name intelligible and understadable at first sight.

May be (win/lnx/macOS)_proc_create_, ... ?

[Neo23x0]

reading "pc" instead of "process_creation" won't be easy to grasp at first.

Yes, "pc" is too short.
I'd use the category as a prefix.
Why would you put the "susp" at the end?

I'd use this pattern

category_os_type_etc.yml
e.g.
proc_creation_win_susp_certutil_download.yml
proc_creation_lnx_expl_sudo_cve_2021_12345.yml

[frack113]

My bad for the end it "start pattern" + susp + "the continuation of the name".
It is bad French-English auto translate.

I have try to keep the logic in place.
The pattern proc_creation_/OS/_/name of the file/.yml is fine for me.

If is it ok, I will work on a PR.

[Neo23x0]

Do the slashes "/" mean folders?
Do you want to reorder the files in the folders?
I would keep the folders as they are.
I'd at least keep os based root folders, then a folder for the category and the the files with the category and os in a short form:

/os/category/cat_os_title.yml

E.g.
/win/process_creation/proc_create_win_certutil_susp_download.yml

[frack113]

Sorry I should not have use "/" to split the pattern part.
As you can see in #2715, I have keep the folder and rename the files according to "proc_create_(macos|lnx|win)_old_title.yml"
The folders structure is well, my concern is only the name of the files.
For networks_connection, you have 5 choices : a name, sysmon_* , win_nc_* , win_net_* and lnx_*.
When alert trigger , you get the rule name so having the same logic is a plus for the N1 SOC operator.

[frack113]

Category	Pattern	example	Done
clipboard_capture	❓
create_remote_thread	❓
create_stream_hash	❓
dns_query	dns_query_os_something	dns_query_win_lobas_appinstaller	🆗
driver_load	driver_load_os_something
file_change	file_change_os_something
file_delete	file_delete_os_something	file_delete_win_delete_backup_file	🆗
file_event	file_event_os_something	file_event_macos_startup_items	🆗
file_rename	file_rename_os_something	file_rename_win_not_dll_to_dll	🆗
image_load	image_load_something	image_load_susp_advapi32_dll	🆗
network_connection	net_connection_os_something	net_connection_lnx_crypto_mining_indicators	🆗
pipe_created	pipe_created_something	pipe_created_tool_psexec	🆗
process_access	proc_access_os_something	proc_access_win_lsass_memdump	🆗
process_creation	proc_creation_os_something	proc_creation_win_apt_apt29_thinktanks	🆗
process_tampering	❓
process_termination	❓
raw_access_thread	❓
registry_event	registry_event_something	registry_event_apt_pandemic	🆗
registry_add	registry_add_something	registry_add_mal_ursnif	🆗
registry_delete	registry_delete_something	registry_delete_mstsc_history_cleared	🆗
registry_set	registry_set_something	registry_set_add_port_monitor	🆗
registry_rename	registry_rename_something		🆗
sysmon_error	❓
sysmon_status	❓
wmi_event	wmi_event_something

I think image_load, pipe_created, registry_event and wmi_event are only windows case, but can keep the os pattern to keep the logic.

[frack113]

https://github.com/SigmaHQ/sigma-specification/blob/3a98511243244c65df9e9aba59bcb2aa9b1eacf5/sigmahq/Sigmahq_filename_rule.md