Views:
The structure of filters is as follows:
title
description [optional]
tags [optional]
logsource
   category
   product [optional]
   definition [optional]
detection
   {search-identifier}
      {List or object}
   ...
   condition
level
taxonomy
The following table outlines the components supported in the TrendAI™ Sigma specification.
Component
Description
title
The brief description of the filter (max. 256 characters)
description
The detailed description of the filter (max. 1024 characters)
tags
The tags to categorize a filter
  • A filter can have up to 10 tags.
  • A tag can be up to 64 characters long.
  • Tags cannot have spaces.
  • Tags can have namespaces. Use dots (.) to separate the namespaces.
    Example:
    network.attack.123.
logsource
The origin or type of data which the filter applies to
This section consists of three attributes:
  • Category: The data source
  • Product: The platform that collects the information
  • Definition: The event type
category
The type of data the filter queries
Supported values:
  • CLOUD_ACTIVITY
  • CONTAINER_ACTIVITY
  • DETECTION
  • ENDPOINT_ACTIVITY
  • MESSAGE_ACTIVITY
  • MOBILE_ACTIVITY
  • NETWORK_ACTIVITY
  • IDENTITY_ACTIVITY
  • THIRD_PARTY_LOG
product
The platforms from which the data originates
Supported values:
  • ENDPOINT_ACTIVITY: windows, linux, mac, unix
  • MOBILE_ACTIVITY: android, ios, chromeos
  • CLOUD_ACTIVITY: aws
  • CONTAINER_ACTIVITY: linux
  • THIRD_PARTY_LOG: Specify the third-party log vendors to detect corresponding third-party log events.
definition
The specific subtype of data the filter queries
WARNING
WARNING
To match AMAZON_SECURITY_LAKE events, you must specify the definition as AMAZON_SECURITY_LAKE.
detection
Consists of multiple search-identifier elements and a condition element
A filter can have up to 19 search-identifier elements.
search-identifier
The specific patterns to detect events
condition
The logical operators and symbols that define how TrendAI Vision One™ processes the search-identifier elements
Supported operators:
  • Logical operators AND/OR
    keyword1 or keyword2
    keyword1 and keyword2
  • Negation with NOT
    keyword and not keyword 2
  • Select a single (1 of them) or all (all of them) of the defined search-identifier elements.
  • Select 1 or all of the specified elements.
    all of selection*
    1 of selection* and keywords
    1 of selection* and not 1 of filter*
  • Brackets ()
    selection1 and (keywords1 or keywords2)
level
The severity associated with the event that this filter detects
Supported values:
  • info
  • low
  • medium
  • high
  • critical
taxonomy
The taxonomy of the Sigma rule
Important
Important
tm-v1 is the only supported value for taxonomy.