Rule Validation¶

The rule validation framework of pySigma offers functionality to validate rules beyond errors that occur while parsing of rules and the included conditions. It consists of the following components:

The validator implemented by the sigma.validation.SigmaValidator class that conducts validation of single rules or a whole ruleset with a defined set of validators and exclusions.
Validator checks that implement rule checks that reside in the sigma.validators module. A validator can perform checks on isolated rules or keep a state and conduct additional checks in a finalization step.

Validator¶

The SigmaValidator class implements the process of validation of Sigma rules. It allows to define a set of validators as well as exclusions of validators for specific rules by rule identifiers. The configuration is passed while a SigmaValidator object is instantiated. Alternatively, the object can be instantiated from a configuration contained in a Python dict or a YAML file.

A single rule can be validated with the sigma.validation.SigmaValidator.validate_rule() method. A set of rules is validated with sigma.validation.SigmaValidator.validate_rules() and in contrast to the single rule validation this method takes care of the finalization of the validation. Finalization of the validation can be explicitely invoked with sigma.validation.SigmaValidator.finalize() and is required for validators that perform checks across different rules like identifier uniqueness.

class sigma.validation.SigmaValidator(validators: Iterable[Type[SigmaRuleValidator]], exclusions: Dict[UUID, Set[SigmaRuleValidator]] = {})¶

A SigmaValidator instantiates the given SigmaRuleValidator classes once at instantiation and uses them to check Sigma rules and collections. The validators can keep a state across the whole lifecycle of the SigmaValidator and can therefore also conduct uniqueness and other checks.

Exclusions can be defined to exclude validators checks for given rule identifiers.

finalize() → List[SigmaValidationIssue]¶

Finalize all rule validators, collect their issues and return them as flat list.

Returns:: a list of all issues emitted by rule validators on finalization.
Return type:: List[SigmaValidationIssue]

classmethod from_dict(d: Dict, validators: Dict[str, SigmaRuleValidator]) → SigmaValidator¶

Instantiate SigmaValidator from dict definition. The dict should have the following elements:

validators: a list of validators to use or not to use, if prefixed with -. The name ‘all’ represents all known validators.
exclusion: a map between rule ids and lists of validator names or a single validator name to define validation exclusions.

Parameters:

d (Dict) – Definition of the SigmaValidator.
validators (Dict[str, SigmaRuleValidator]) – Mapping from string identifiers to validator classes.

Returns:

Instantiated SigmaValidator

Return type:

SigmaValidator

validate_rule(rule: SigmaRule) → List[SigmaValidationIssue]¶

Validate a single rule with all rule validators configured in this SigmaValidator object. A rule validator can keep state information across the validation of multiple rules. Therefore the validation of a single rule is not necessarily isolated to itself but can also influence the result of the validation of other rules or cause that additional issues are emitted on finalization of the validator object.

Parameters:: rule (SigmaRule) – Sigma rule that should be validated.
Returns:: A list of SigmaValidationIssue objects describing potential issues.
Return type:: List[SigmaValidationIssue]

validate_rules(rules: Iterator[SigmaRule]) → List[SigmaValidationIssue]¶

Validate Sigma rules. This method runs all validators on all rules and finalizes the validators at the end.

Parameters:: rules (Iterator[SigmaRule]) – Rule collection that should be validated.
Returns:: A list of SigmaValidationIssue objects describing potential issues.
Return type:: List[SigmaValidationIssue]

Usage¶

Initialize a SigmaValidator object with the set of validators that should be used. The following code instantiates it with all available validators::

from sigma.validators.core import validators
rule_validator = SigmaValidator(validators.values())

SigmaValidator instantiation can also be made configurable with YAML files. For this purpose create a YAML file such as this one:

validators:
    - all
    - -tlptag
    - -tlpv1_tag
exclusions:
    5013332f-8a70-4e04-bcc1-06a98a2cca2e: wildcards_instead_of_modifiers

The details are discussed in the next section. A SigmaValidator is then instantiated as follows::

with open("config.yml") as validation_config:
    rule_validator = SigmaValidator.from_yaml(validation_config.read())

The validation of a rule set is then run as follows::

issues = rule_validator.validate_rules(sigma_rules)

Where sigma_rules might be an arbitrary iterable of SigmaRule objects, including a SigmaCollection. The resulting issues variable contains a list of sigma.validators.base.SigmaValidationIssue() objects that simply can be printed.

Configuration¶

The configuration of a validation run can be stored in a dict or in a YAML file.

Validator Checks¶

The first item that must be contained on the top level is the validators list, that defines which validator checks should be used in the run:

validators:
    - all
    - -tlptag
    - -tlpv1_tag

The list contains the identifiers of validator classes that should be used or deactivated, if the name is prefixed with a minus -. The identifier all has a special role and activates all validator classes. This is useful to maintain a complete set of validator checks including checks that were added after the configuration was written. Particular unwanted checks are disabled with the minus syntax after the initial all declaration.

In the above example, all validator checks are enabled except the validators for TLPv1 and the combined TLP validator because TLPv2 should be used exclusively.

Exclusions¶

Sometimes it can be necessary to exclude validator checks for particular rules because something detected by the check is desired for this rule. For this purpose, exclusions can be defined by defining a rule identifier as key and one or multiple validator check identifiers that shouldn’t be applied to the rule. Example:

exclusions:
    5013332f-8a70-4e04-bcc1-06a98a2cca2e:
        - wildcards_instead_of_modifiers

This exclusion defines that the wildcards_instead_of_modifiers validator check is disabled for the rule with the identifier 5013332f-8a70-4e04-bcc1-06a98a2cca2e.

Validator Checks¶

Validator checks implement checks of Sigma rules for particular issues. Issues can be:

Bad practices that likely lead to erroneous detection logic.
Usage of wrong tags.
Missing rule attributes that don’t cause rule parsing errors, but are bad practices.

A check can be conducted against a single rule or it can keep state across multiple rules and conduct a check that is not bound to a particular rule in a finalization step of a validator run.

Validator checks emit issue objects that describe detected issues and rules they appeared in. Details regarding issue objects are described below.

Implementing own Checks¶

A validator check is implemented by a class inherited from sigma.validators.base.SigmaRuleValidator. The method validate() is called for each rule and can be used to perform a check on the whole rule as well as collecting state information in the validator check object itself for later usage. A common location for such deferred checks is the finalize() method, that is invoked after all rules were checked individually with the validate method.

There exist various convenience classes that can be used for validation of particular parts of a Sigma rule. These classes offer special-purpose methods that are invoked for each appearance of a desired rule part and takes care of the proper iteration of these parts. These classes are:

sigma.validators.base.SigmaDetectionValidator for checking all detection
definitions below the detection attribute of a Sigma rule.
sigma.validators.base.SigmaDetectionItemValidator for checking all detection items
in detection definitions.
sigma.validators.base.SigmaValueValidator for checking all values contained in detection items of a Sigma rule.
sigma.validators.base.SigmaStringValueValidator for checking all string values contained in detection items of a Sigma rule.
sigma.validators.base.SigmaTagValueValidator for checking all tags appearing beloe the tags attribute of a Sigma rule.

Base Classes¶

class sigma.validators.base.SigmaDetectionValidator¶

A detection validator class implements a check for detection definitions contained in Sigma rules. The method validate_detection() must be implemented and is called for each detection definition contained in the Sigma rule. It can perform isolated checks per detection or collect state across different detections and then conduct checks across multiple detections in the following methods:

validate(): all detections across a rule.
finalize(): all detections across a rule set.

The validation state stored in the object should be reset as required to prevent undesired side effects in implementations of them methods mentioned above.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶: Iterate over all detections and call validate_detection() for each.

abstract validate_detection(name: str, detection: SigmaDetection) → List[SigmaValidationIssue]¶

Implementation of the detection validation. It is invoked for each detection.

Parameters:

name – Name of the validated detection.
detection (SigmaDetection) – detection definition that should be validated.

Returns:

List of validation issue objects describing.

Return type:

List[SigmaValidationIssue]

class sigma.validators.base.SigmaDetectionItemValidator¶

A detection item validator iterates over all detection definitions and their detection items and calls the method validate_detection_item() for each of them. It can perform isolated checks per detection item or collect state across different detection items and then conduct checks across multiple of them in the following methods:

validate_detection(): all detection items of a detection.
validate(): all detection items across a rule.
finalize(): all detection items across a rule set.

The validation state stored in the object should be reset as required to prevent undesired side effects in implementations of them methods mentioned above.

validate_detection(name: str | None, detection: SigmaDetection) → List[SigmaValidationIssue]¶: Iterate over all detection items of a detection definition and call validate_detection_item() method on each detection item or this method itself recursively for nested detection definitions.

abstract validate_detection_item(detection_item: SigmaDetectionItem) → List[SigmaValidationIssue]¶

Implementation of the detection item validation. It is invoked for each detection item.

Parameters:: detection_item (SigmaDetectionItem) – detection item that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.base.SigmaValueValidator¶

A value validator iterates over all values contained in a Sigma rules detection items and calls the method validate_value() for each of them if the type is contained in the validated_types set. It can perform isolated checks per value or collect state across different values and then conduct checks across multiple of them in the following methods:

validate_detection_item(): all values of a detection item.
validate_detection(): all detection items of a detection.
validate(): all detection items across a rule.
finalize(): all detection items across a rule set.

The validation state stored in the object should be reset as required to prevent undesired side effects in implementations of them methods mentioned above.

validate_detection_item(detection_item: SigmaDetectionItem) → List[SigmaValidationIssue]¶: Iterate over all values of a detection item and call validate_value() method for each of them if they are contained in the validated_types class attribute.

abstract validate_value(value: SigmaType) → List[SigmaValidationIssue]¶

Implementation of the value validation. It is invoked for each value of a type.

Parameters:: value (SigmaType) – detection item that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.base.SigmaStringValueValidator¶

A value validator iterates over all values contained in a Sigma rules detection items and calls the method validate_value() for all strings. It can perform isolated checks per value or collect state across different values and then conduct checks across multiple of them in the following methods:

validate_detection_item(): all values of a detection item.
validate_detection(): all detection items of a detection.
validate(): all detection items across a rule.
finalize(): all detection items across a rule set.

The validation state stored in the object should be reset as required to prevent undesired side effects in implementations of them methods mentioned above.

class sigma.validators.base.SigmaTagValidator¶

The tag validator iterates over all tags from the rule and calls the method validate_tag() for each tag.

validate(rule: SigmaRuleBase) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

abstract validate_tag(tag: SigmaRuleTag) → List[SigmaValidationIssue]¶: Validates a tag.

Checks Implemented in pySigma¶

This section lists all implemented validation check classes including their associated issue classes.

class sigma.validators.core.condition.AllOfThemConditionIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.condition.AllOfThemConditionValidator¶

Find occurrences of discouraged ‘all of them’ conditions.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.condition.DanglingDetectionIssue(rules: List[sigma.rule.SigmaRuleBase], detection_name: str)¶

class sigma.validators.core.condition.DanglingDetectionValidator¶

Check for detection definitions not referenced from condition.

condition_referenced_ids(cond: ConditionItem, detections: SigmaDetections) → Set[str]¶

Return detection item identifierd referenced by condition.

Parameters:

cond (ConditionItem) – Condition to analyze.
detections (SigmaDetections) – Detections referenced from condition.

Returns:

Set of referenced detection identifiers.

Return type:

Set[str]

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.condition.ThemConditionWithSingleDetectionIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.condition.ThemConditionWithSingleDetectionValidator¶

Detect conditions refering to ‘them’ with only one detection.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.CustomAttributesIssue(rules: List[sigma.rule.SigmaRuleBase], fieldname: str)¶

class sigma.validators.core.metadata.CustomAttributesValidator¶

Check if field name is similar to legit one

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.DateExistenceIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.metadata.DateExistenceValidator¶

Checks if rule has a data.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.DescriptionExistenceIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.metadata.DescriptionExistenceValidator¶

Checks if rule has a description.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.DescriptionLengthIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.metadata.DescriptionLengthValidator¶

Checks if rule has a description.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.DuplicateFilenameIssue(rules: List[sigma.rule.SigmaRuleBase], filename: str)¶

class sigma.validators.core.metadata.DuplicateFilenameValidator¶

Check rule filename uniqueness.

finalize() → List[SigmaValidationIssue]¶

Finalize a validation run and return validation issues that apply to multiple rules.

Returns:: List of validation issues.
Return type:: List[SigmaValidationIssue]

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.DuplicateReferencesIssue(rules: List[sigma.rule.SigmaRuleBase], reference: str)¶

class sigma.validators.core.metadata.DuplicateReferencesValidator¶

Validate rule References uniqueness.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.DuplicateTitleIssue(rules: List[sigma.rule.SigmaRuleBase], title: str)¶

class sigma.validators.core.metadata.DuplicateTitleValidator¶

Check rule title uniqueness.

finalize() → List[SigmaValidationIssue]¶

Finalize a validation run and return validation issues that apply to multiple rules.

Returns:: List of validation issues.
Return type:: List[SigmaValidationIssue]

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.FilenameLenghIssue(rules: List[sigma.rule.SigmaRuleBase], filename: str)¶

class sigma.validators.core.metadata.FilenameLenghValidator¶

Check rule filename lengh

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.FilenameSigmahqIssue(rules: List[sigma.rule.SigmaRuleBase], filename: str)¶

class sigma.validators.core.metadata.FilenameSigmahqValidator¶

Check rule filename match SigmaHQ standard.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.IdentifierCollisionIssue(rules: List[sigma.rule.SigmaRuleBase], identifier: uuid.UUID)¶

class sigma.validators.core.metadata.IdentifierExistenceIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.metadata.IdentifierExistenceValidator¶

Checks if rule has identifier.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.IdentifierUniquenessValidator¶

Check rule UUID uniqueness.

finalize() → List[SigmaValidationIssue]¶

Finalize a validation run and return validation issues that apply to multiple rules.

Returns:: List of validation issues.
Return type:: List[SigmaValidationIssue]

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.LevelExistenceIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.metadata.LevelExistenceValidator¶

Checks if rule has a level.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.StatusExistenceIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.metadata.StatusExistenceValidator¶

Checks if rule has a status.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.StatusUnsupportedIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.metadata.StatusUnsupportedValidator¶

Checks if rule has a status UNSUPPORTED.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.metadata.TitleLengthSigmaHQIssue(rules: List[sigma.rule.SigmaRuleBase])¶

class sigma.validators.core.metadata.TitleLengthSigmaHQValidator¶

Checks if rule has a title length longer than 110.

validate(rule: SigmaRule) → List[TitleLengthSigmaHQIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.modifiers.AllWithoutContainsModifierIssue(rules: List[sigma.rule.SigmaRuleBase], detection_item: sigma.rule.SigmaDetectionItem)¶

class sigma.validators.core.modifiers.Base64OffsetWithoutContainsModifierIssue(rules: List[sigma.rule.SigmaRuleBase], detection_item: sigma.rule.SigmaDetectionItem)¶

class sigma.validators.core.modifiers.InvalidModifierCombinationsValidator¶

Detects invalid combinations of value modifiers.

validate_detection_item(detection_item: SigmaDetectionItem) → List[SigmaValidationIssue]¶

Implementation of the detection item validation. It is invoked for each detection item.

Parameters:: detection_item (SigmaDetectionItem) – detection item that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.modifiers.ModifierAppliedMultipleIssue(rules: List[sigma.rule.SigmaRuleBase], detection_item: sigma.rule.SigmaDetectionItem, modifiers: Set[Type[sigma.modifiers.SigmaModifier]])¶

class sigma.validators.core.tags.ATTACKTagValidator¶

Check for usage of valid MITRE ATT&CK tags.

validate_tag(tag: SigmaRuleTag) → List[SigmaValidationIssue]¶: Validates a tag.

class sigma.validators.core.tags.CARTagValidator¶

Validate rule CAR tag

validate_tag(tag: SigmaRuleTag) → List[SigmaValidationIssue]¶: Validates a tag.

class sigma.validators.core.tags.CVETagValidator¶

Validate rule CVE tag

validate_tag(tag: SigmaRuleTag) → List[SigmaValidationIssue]¶: Validates a tag.

class sigma.validators.core.tags.DetectionTagValidator¶

Validate rule detection tag

validate_tag(tag: SigmaRuleTag) → List[SigmaValidationIssue]¶: Validates a tag.

class sigma.validators.core.tags.DuplicateTagIssue(rules: List[sigma.rule.SigmaRuleBase], tag: sigma.rule.SigmaRuleTag)¶

class sigma.validators.core.tags.DuplicateTagValidator¶

Validate rule tag uniqueness.

validate(rule: SigmaRule) → List[SigmaValidationIssue]¶

Implementation of the rule validation.

Parameters:: rule (SigmaRuleBase) – Sigma rule that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.tags.InvalidATTACKTagIssue(rules: List[sigma.rule.SigmaRuleBase], tag: sigma.rule.SigmaRuleTag)¶

class sigma.validators.core.tags.InvalidCARTagIssue(rules: List[sigma.rule.SigmaRuleBase], tag: sigma.rule.SigmaRuleTag)¶

class sigma.validators.core.tags.InvalidCVETagIssue(rules: List[sigma.rule.SigmaRuleBase], tag: sigma.rule.SigmaRuleTag)¶

class sigma.validators.core.tags.InvalidDetectionTagIssue(rules: List[sigma.rule.SigmaRuleBase], tag: sigma.rule.SigmaRuleTag)¶

class sigma.validators.core.tags.InvalidNamespaceTagIssue(rules: List[sigma.rule.SigmaRuleBase], tag: sigma.rule.SigmaRuleTag)¶

class sigma.validators.core.tags.InvalidSTPTagIssue(rules: List[sigma.rule.SigmaRuleBase], tag: sigma.rule.SigmaRuleTag)¶

class sigma.validators.core.tags.InvalidTLPTagIssue(rules: List[sigma.rule.SigmaRuleBase], tag: sigma.rule.SigmaRuleTag)¶

class sigma.validators.core.tags.NamespaceTagValidator¶

Validate rule tag name

validate_tag(tag: SigmaRuleTag) → List[SigmaValidationIssue]¶: Validates a tag.

class sigma.validators.core.tags.STPTagValidator¶

Validate rule STP tag

validate_tag(tag: SigmaRuleTag) → List[SigmaValidationIssue]¶: Validates a tag.

class sigma.validators.core.tags.TLPTagValidator¶: Validation of TLP tags from all versions of the TLP standard.

class sigma.validators.core.tags.TLPTagValidatorBase¶

Base class for TLP tag validation

validate_tag(tag: SigmaRuleTag) → List[SigmaValidationIssue]¶: Validates a tag.

class sigma.validators.core.tags.TLPv1TagValidator¶: Validation of TLP tags according to old version 1 standard.

class sigma.validators.core.tags.TLPv2TagValidator¶: Validation of TLP tags according to version 2 standard.

class sigma.validators.core.values.ControlCharacterIssue(rules: List[sigma.rule.SigmaRuleBase], string: sigma.types.SigmaString)¶

class sigma.validators.core.values.ControlCharacterValidator¶

Check for control characters in string values, which are normally inserted unintentionally by wrong usage of single backslashes, e.g. before a t character, where double backslashes are required.

validate_value(value: SigmaString) → List[SigmaValidationIssue]¶

Implementation of the value validation. It is invoked for each value of a type.

Parameters:: value (SigmaType) – detection item that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.values.DoubleWildcardIssue(rules: List[sigma.rule.SigmaRuleBase], string: sigma.types.SigmaString)¶

class sigma.validators.core.values.DoubleWildcardValidator¶

Check strings for consecutive multi-character wildcards.

validate_value(value: SigmaString) → List[SigmaValidationIssue]¶

Implementation of the value validation. It is invoked for each value of a type.

Parameters:: value (SigmaType) – detection item that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.values.EscapedWildcardIssue(rules: List[sigma.rule.SigmaRuleBase], string: sigma.types.SigmaString)¶

class sigma.validators.core.values.EscapedWildcardValidator¶

Check for the presence of escaped wildcards.

validate_value(value: SigmaString) → List[SigmaValidationIssue]¶

Implementation of the value validation. It is invoked for each value of a type.

Parameters:: value (SigmaType) – detection item that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.values.NumberAsStringIssue(rules: List[sigma.rule.SigmaRuleBase], string: sigma.types.SigmaString)¶

class sigma.validators.core.values.NumberAsStringValidator¶

Check numbers that were expressed as strings.

validate_value(value: SigmaString) → List[SigmaValidationIssue]¶

Implementation of the value validation. It is invoked for each value of a type.

Parameters:: value (SigmaType) – detection item that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

class sigma.validators.core.values.WildcardInsteadOfEndswithIssue(rules: List[sigma.rule.SigmaRuleBase], detection_item: sigma.rule.SigmaDetectionItem)¶

class sigma.validators.core.values.WildcardInsteadOfStartswithIssue(rules: List[sigma.rule.SigmaRuleBase], detection_item: sigma.rule.SigmaDetectionItem)¶

class sigma.validators.core.values.WildcardsInsteadOfContainsModifierIssue(rules: List[sigma.rule.SigmaRuleBase], detection_item: sigma.rule.SigmaDetectionItem)¶

class sigma.validators.core.values.WildcardsInsteadOfModifiersValidator¶

Check if wildcards were used where usage of startswith, endswith and contains modifiers would be possible.

validate_detection_item(detection_item: SigmaDetectionItem) → List[SigmaValidationIssue]¶

Implementation of the detection item validation. It is invoked for each detection item.

Parameters:: detection_item (SigmaDetectionItem) – detection item that should be validated.
Returns:: List of validation issue objects describing.
Return type:: List[SigmaValidationIssue]

Issues¶

An issue is a class inherited from sigma.validators.base.SigmaValidationIssue:

class sigma.validators.base.SigmaValidationIssue(rules: List[SigmaRuleBase])¶: Describes an issue of one or multiple Sigma rules. This is a base class that should be overridden with specific issue classes. Description should contain some general issue information defined statically for the class. Additional issue information should be provided by additional fields that are automatically rendered in the representation methods.

It must declare at least the following class attributes:

description: a string with a textual description of the issue displayed to the user.
severity: a severity as SigmaValidationIssueSeverity object.

Further attributes can be defined optionally and are rendered when the issue object is converted to a string.

Severities are defined as follows:

class sigma.validators.base.SigmaValidationIssueSeverity(value)¶

Severity of a Sigma rule validation issue:

Low: minor improvement suggestion that results in better readability or maintainability of the rule.
Medium: issue can cause problems under certain conditions or the meaning of the rule can be different from intended.
High: issue will cause problems. It is certain that the intention of the rule author and the rule logic deviate or the rule doesn’t match anything.

Rule Validation¶

Validator¶

Usage¶

Configuration¶

Validator Checks¶

Exclusions¶

Validator Checks¶

Implementing own Checks¶

Base Classes¶

Checks Implemented in pySigma¶

Issues¶

pySigma

Navigation

Related Topics