Views:
The structure of filters is as follows:
title
description [optional]
tags [optional]
logsource
   category
   product [optional]
   definition [optional]
detection
   {search-identifier}
      {List or object}
   ...
   condition
level
taxonomy
The following table outlines the components supported in the Trend Micro Sigma specification.
Component
Description
title
The brief description of the filter (max. 256 characters)
description
The detailed description of the filter (max. 1024 characters)
tags
The tags to categorize a filter
  • A filter can have up to 10 tags.
  • A tag can be up to 64 characters long.
  • Tags cannot have spaces.
  • Tags can have namespaces. Use dots (.) to separate the namespaces.
    Example:
    network.attack.123.
logsource
The origin or type of data which the filter applies to
This section consists of three attributes:
  • Category: The data source
  • Product: The platform that collects the information
  • Definition: The event type
category
The type of data the filter queries
Supported values:
  • CLOUD_ACTIVITY
  • CONTAINER_ACTIVITY
  • DETECTION
  • ENDPOINT_ACTIVITY
  • MESSAGE_ACTIVITY
  • MOBILE_ACTIVITY
  • NETWORK_ACTIVITY
  • IDENTITY_ACTIVITY
  • THIRD_PARTY_LOG
product
The platforms from which the data originates
Supported values:
  • ENDPOINT_ACTIVITY: windows, linux, mac, unix
  • MOBILE_ACTIVITY: android, ios, chromeos
  • CLOUD_ACTIVITY: aws
  • CONTAINER_ACTIVITY: linux
  • THIRD_PARTY_LOG: Specify the third-party log vendors to detect corresponding third-party log events.
definition
The specific subtype of data the filter queries
WARNING
WARNING
To match AMAZON_SECURITY_LAKE events, you must specify the definition as AMAZON_SECURITY_LAKE.
detection
Consists of multiple search-identifier elements and a condition element
A filter can have up to 19 search-identifier elements.
search-identifier
The specific patterns to detect events
condition
The logical operators and symbols that define how Trend Vision One processes the search-identifier elements
Supported operators:
  • Logical operators AND/OR
    keyword1 or keyword2
    keyword1 and keyword2
  • Negation with NOT
    keyword and not keyword 2
  • Select a single (1 of them) or all (all of them) of the defined search-identifier elements.
  • Select 1 or all of the specified elements.
    all of selection*
    1 of selection* and keywords
    1 of selection* and not 1 of filter*
  • Brackets ()
    selection1 and (keywords1 or keywords2)
level
The severity associated with the event that this filter detects
Supported values:
  • info
  • low
  • medium
  • high
  • critical
taxonomy
The taxonomy of the Sigma rule
Important
Important
tm-v1 is the only supported value for taxonomy.