Threat Hunting

Writing Sigma Rules That Actually Work

9 January 2024 | justruss.tech

Sigma is a vendor-neutral detection rule format. A single Sigma rule can be converted to Splunk SPL, Elastic EQL, Microsoft Sentinel KQL, QRadar AQL, and others using the sigma-cli or the older sigmac tool. The value is
write-once, deploy-anywhere — but only if the rules are properly tuned for your environment first.

Sigma rule structure

title: Suspicious Scheduled Task Creation
id: 92a5a95a-cce6-4b88-a5d0-c578d0d20d7e
status: stable
description: Detects scheduled task creation from unusual parent processes
references:
    - https://attack.mitre.org/techniques/T1053/005/
author: justruss
date: 2024/01/09
tags:
    - attack.persistence
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: \schtasks.exe
        CommandLine|contains: /create
    filter_legit:
        ParentImage|startswith:
            - C:\Windows\System32\
            - C:\Windows\SysWOW64\
            - C:\Program Files\
    condition: selection and not filter_legit
falsepositives:
    - Software installers
    - Admin scripts
level: medium

Converting with sigma-cli

# Install
pip install sigma-cli
pip install pysigma-backend-splunk pysigma-backend-elasticsearch

# Convert to Splunk SPL
sigma convert -t splunk -p splunk_windows rule.yml

# Output:
# (Image="*\schtasks.exe" CommandLine="*/create*")
# NOT (ParentImage="C:\Windows\System32\*"
#   OR ParentImage="C:\Windows\SysWOW64\*"
#   OR ParentImage="C:\Program Files\*")

# Convert to Elastic EQL
sigma convert -t elasticsearch -p ecs_windows rule.yml

The noise problem in practice

Running the raw schtasks rule in a test environment with 50 Windows endpoints over one week produced 847 matches. Breaking down by ParentImage:

ParentImage                               Count
-----------------------------------------  -----
C:\Windows\System32\cmd.exe               312
C:\Windows\System32\WindowsPowerShell\... 289
C:\Program Files\ManageEngine\...         156
C:\Users\admin\AppData\Local\Temp\...      67  <-- worth investigating
C:\Windows\Temp\install.exe                23  <-- worth investigating

The ManageEngine entries are legitimate IT management software creating maintenance tasks. Adding them to the filter drops 156 false positives immediately. The Temp directory entries are worth investigating — legitimate installers sometimes run
from Temp but it is also a common attacker staging location.

Building environment-specific filters

The exclusion list should be maintained as a separate lookup file rather than hardcoded in the rule, so it can be updated without touching the detection logic:

# legitimate_schedulers.csv
ParentImage,Note
C:\Program Files\ManageEngine\UEMS_Agent\bin\dcagentservice.exe,ManageEngine UEM
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\smc.exe,Symantec SEP
C:\Windows\System32\services.exe,SCM scheduled task registration

In Splunk, join against this lookup at query time rather than hardcoding exclusions in the SPL. This keeps the detection rule generic and the environment-specific tuning in a maintainable separate file.

Detection maturity tiers

Not all Sigma rules are equal. The SigmaHQ repository tags rules by status: stable, test, experimental. Running experimental rules in production without tuning will generate substantial noise. A practical approach:

  • Start with status: stable and level: high rules only
  • Run each for one week and review all matches before moving to alerting
  • Document every exclusion added with a date and reason
  • Revisit exclusions quarterly — software changes, exclusions become stale