Views:
The structure of filters is as follows:
title
description [optional]
tags [optional]
logsource
   category
   product [optional]
   definition [optional]
detection
   {search-identifier}
      {List or object}
   ...
   condition
level
taxonomy
The following table outlines the components supported in the Trend Micro Sigma specification.
Component
Description
title
The brief description of the filter (max. 256 characters).
description (optional)
The detailed description of the filter (max. 1024 characters).
tags (optional)
The tags to categorize a filter.
Note
Note
  • A filter can have up to 10 tags.
  • A tag can be up to 64 characters long.
  • Tags cannot have spaces.
  • Tags can have namespaces. Use dots (.) to separate the namespaces.
    Example:
    network.attack.123.
logsource
The origin or type of data to which the filter is applied.
This section consists of three attributes: the data source (category), the platform where the information is collected (product) and the event type (definition).
category
The type of data the filter queries.
Supported values:
  • CLOUD_ACTIVITY
  • CONTAINER_ACTIVITY
  • DETECTION
  • ENDPOINT_ACTIVITY
  • MESSAGE_ACTIVITY
  • MOBILE_ACTIVITY
  • NETWORK_ACTIVITY
product (optional)
The platforms from which the data originates.
Supported values:
  • For ENDPOINT_ACTIVITY: windows, linux, mac, unix
  • For MOBILE_ACTIVITY: android, ios, chromeos
  • For CLOUD_ACTIVITY: aws
  • For CONTAINER_ACTIVITY: linux
definition (optional)
The specific subtype of data the filter queries.
detection
Consists of multiple search-identifier elements and a condition element.
A filter can have up to 19 search-identifier elements.
search-identifier
The specific patterns to detect events.
condition
The logical operators and symbols that define how Trend Vision One processes the search-identifier elements.
Supported operators:
  • Logical operators AND/OR
    keyword1 or keyword2
    keyword1 and keyword2
  • Negation with NOT
    keyword and not keyword 2
  • Select a single (1 of them) or all (all of them) of the defined search-identifier elements.
  • Select 1 or all of the specified elements.
    all of selection*
    1 of selection* and keywords
    1 of selection* and not 1 of filter*
  • Brackets ()
    selection1 and (keywords1 or keywords2)
level
The severity associated with the event that this filter detects.
Supported values:
  • info
  • low
  • medium
  • high
  • critical
taxonomy
The taxonomy of the Sigma rule.
Important
Important
tm-v1 is the only supported value for taxonomy.