Skip to content

Commit

Permalink
Merge pull request #160 from SigmaHQ/formatting
Browse files Browse the repository at this point in the history
Add requires for temporal
  • Loading branch information
nasbench authored Nov 4, 2024
2 parents 77f8274 + 8061f71 commit 08405f8
Showing 1 changed file with 15 additions and 2 deletions.
17 changes: 15 additions & 2 deletions specification/sigma-correlation-rules-specification.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@

The following document defines the standardized correlation that can be used in Sigma rules.

* Version 2.0.1
* Release date 2024-09-03
* Version 2.0.2
* Release date 2024-11-01

- [Introduction](#introduction)
- [Compatibility](#compatibility)
Expand Down Expand Up @@ -417,6 +417,11 @@ The values of fields defined in group-by must all have the same value (e.g. the

The time frame should not be restricted to boundaries if this is not required by the given backend.

Requires:
- `rules`
- `group-by`
- `timespan`

Simple example : Reconnaissance commands defined in three Sigma rules are invoked in arbitrary order within 5 minutes on a system by the same user:

```yaml
Expand All @@ -437,6 +442,11 @@ correlation:
The *temporal_ordered* correlation type behaves like *temporal* and requires in addition that the events appear in the
order provided in the *rule* attribute.

Requires:
- `rules`
- `group-by`
- `timespan`

Example: many failed logins as defined above are followed by a successful login by of the same user account within 1 hour:

```yaml
Expand Down Expand Up @@ -597,6 +607,9 @@ detection:
```

## History

* 2024-11-01 Specification V2.0.2
* add Requires field for temporal rules
* 2024-09-03 Specification V2.0.1
* add missing `status` and `falsepositives`
* 2024-08-08 Specification v2.0.0

0 comments on commit 08405f8

Please sign in to comment.