SIGMA

Sigma Detection Rules bring a flexible and standardized way to define detection logic using YAML-based structures. Inspired by the open Sigma format but adapted to Inopli’s internal data model, these rules allow analysts to describe correlations and matching conditions in a clear, human-readable form that abstracts away backend query language dependencies.

This rule type is especially useful for analysts familiar with SOC practices or SIEM rule writing, enabling fast onboarding and reusable logic across clients and use cases.

Rule Structure

Each Sigma rule is written in YAML format and includes:

• Metadata Descriptive fields like title, id, description, status, level, tags, and author

• Detection Logic Conditions are expressed using field-value maps, lists, and logical operators. Inopli supports selection, filter, condition blocks.

• Trigger Definition Conditions evaluate the presence of fields or values in the DRP dataset. When a rule is matched, it is escalated following the defined severity level.

Example:

yamlCopiarEditartitle: Suspicious domain with sensitive keyword
id: 8c7a-fake-1234-5678
status: stable
description: Detects domains containing sensitive internal keywords
level: medium
author: [email protected]

detection:
  selection:
    type: domain
    value|contains: "internal"
  condition: selection

Detection Model

Sigma rules are translated internally into structured queries compatible with Inopli’s data engine. They can be applied over:

• IOCs (domain, IP, hash, email)

• Content fields (value, description, source, category)

• Context metadata (tenant, risk level, enrichment tags)

All supported operators include:

• Exact match

• contains, startswith, endswith

• Lists (field: ["a", "b"])

• Field modifiers (value|contains)

Use Cases

• Match known IOCs from shared threat intelligence

• Detect exposure of internal identifiers or keywords

• Alert on findings linked to specific attack techniques

• Build reusable rules for sector-specific monitoring

Incident Triggering

Once matched, Sigma rules follow the same workflow as other rule types: they enrich the finding and, if not filtered as false positive, trigger an incident in the Response module.