Skip to content

Rule Fields

Jump to bottom
Souji edited this page Dec 25, 2023 · 8 revisions

Fields

The Omega field specification tries to follow the Sigma specification relatively closely.

Important

MUST have title: Short title describing the rule (min 1, max 256)
MUST have detection: detection logic
MUST (if applicable) have related: List of records for related rules (when derived, changed, superseding, etc.). Omit if not applicable.
type relation type of the referenced rule derived | obsoletes | merged | renamed | similar

related:
  - id: 08fbc97d-0a2f-491c-ae21-8ffcfd3174e9
    type: derived
  - id: 929a690e-bef0-4204-a928-ef5e620d6fcc
    type: obsoletes

MUST have modified: yyyy/mm/dd If one of the following changed: detection section, level, deprecation status, title

The provided rule validation methods will cause errors if required fields are missing! It cannot act on requirements that depend on changes.

Recommended optional fields

Note

Using optional fields against the specification will result in warnings, not errors when validating rules.
You can ignore these if you wish, but in the interest of reasonable standards, it is recommended to stick to the specification.

SHOULD id: UUID (generator)
The id attribute should change in case of major rule changes (detection logic), derivation of a new rule, merge of rules

SHOULD description: A longer description of the document, should start with "This rule detects" (max. 65,535 characters)

SHOULD level: Threat level: informational | low | medium | high | critical

Other optional fields

CAN status: Rule stability status: unsupported | deprecated | experimental | test | stable

CAN references: A List of external references that explain this rule and its use

CAN author: Rule author

CAN date: Rule creation date yyyy/mm/dd

CAN modified: When the rule was last modified yyyy/mm/dd

CAN fields: Data fields that could be interesting for further analysis

CAN false-positives: A list of false positives that may occur

CAN tags: Namespaced tags, for example tlp.clear (mitre CVE cve.1.1, STP stp.1, CAR car.2016-04-05, let's be real. It's doubtful that anything but TLP becomes relevant for this project)

Note

Any arbitrary fields are generally ignored but returned

Clone this wiki locally