In this article: |
Uncoder AI offers an IDE-style experience when writing Sigma rules. If you are new to Sigma or want to improve your skills, check out these resources:
Jump-Start Your Rule
Instead of beginning from scratch, you can:
Use a Sigma rule template. To do it, click the Sigma Template icon and select an option:
Minimal SIGMA. Basic Sigma rule components
Full SIGMA. All Sigma rule components
Upload your Sigma rule from a file.
Get inspiration and learn from thousands of Sigma rules in the world's largest collection of detection content. Type a search term in the search bar and click on one of the suggested options.
The search is run against the
title,description, andtagssections of Sigma rules.
Write Comfortably
Syntax Highlighting. The syntax in the Sigma rule code is highlighted to make it more readable, emphasize the structure, and facilitate looking for errors.
Collapse/expand. You can also collapse and expand sections of a rule. To do it, click the arrow next to the row number. To expand a collapsed section, you can also click the arrows icon on the right of the visible row.
Autocomplete. Start typing and take advantage of the autocomplete functionality with suggestions that depend on the current component of the rule:
tags: IDs and names of all MITRE ATT&CK tactics, techniques, sub-techniques, tools, and groupsstatus: statuses according to Sigma specificationlogsource: valid Sigma categories, products, and servicesdetection: common fields in the detection component based on the world's largest collection of Sigma ruleslevel: levels according to Sigma specification
Additionally, autocomplete suggestions in each component include matching local input.
Action buttons. Copy to the clipboard or delete the input.
Check for Errors
Switch to the Improve mode, select the Validate action, and click Improve to run the built-in automated checks and see if there are any syntax/structure errors or places for improvement.
For Sigma, the checks are performed by Green Warden, a service by SOC Prime’s threat research team designed to validate the code of Sigma rules. This service checks detection rules for syntax/structure mistakes and provides smart suggestions on how to fix them. Some basic issues with Sigma rule syntax can be fixed automatically in Uncoder AI.
The results of the checks are displayed on the right.
The number of available checks depends on your Uncoder AI subscription.
Refer to these resources for the current Sigma syntax and structure:
Fix Some Errors Automatically
Warden can automatically fix basic issues with Sigma rule syntax.
After validating your rule, set the checkmarks next to the issues that can be fixed automatically and click the Fix button.
For now, the feature is able to automatically fix issues with detection modifiers, a common drive letter (such as C:\) in the selection, and a missing id.
Save Your Rule
You can save the rule you've written to a custom repository.
Click Save As > New Rule in the panel with the content.
Fill in saving parameters:
Save to. Select the custom repository to save your content.
Platform. Double-check the selected platform to make sure everything is correct.
Content Name. Give your content a name. In the case of a Sigma rule, this field is pre-filled with the Sigma title.
Description. Provide a description of your content.
Click Save.
Note: In case of a Sigma rule, all available metadata is parsed and will be displayed on the Intelligence page of the rule in TDM. Yet, if you only save a query or rule in a different language, most metadata and intelligence fields will be empty.
To learn more about working with custom repositories, go here.