Changing a Sigma rule

You can make any changes to custom Sigma rules. You can only add or remove exclusions and change the state of Sigma rules that are supplied by Kaspersky Lab.

To edit a Sigma rule:

1. Do one of the following:
   • for a group of protected devices, open the application policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
   • for an individual protected device, open the application settings for the device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device for which you want to configure application settings.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the Kaspersky Endpoint Agent window that opens, select the Application settings tab.
2. In the Anomaly Detection using Sigma rules section, use the check box next to the name of a collection to select the collection with the Sigma rule you want to edit.
3. Click Edit.

   The Modifying the collection rules window opens.

4. Use the check box next to the rule name to select the rule that you want to edit.
5. If necessary, change the rule state using the Enabled / Disabled toggle button above the rule name.
6. Click the Modify / Edit button.

   The Changing the Sigma rule window opens.

7. If you are editing a Sigma rule supplied by Kaspersky Lab as part of a collection, add or remove exclusions for the rule.

   The content of Sigma rules supplied with the application databases is unavailable to the user. This is because the triggering conditions for these rules are Kaspersky's intellectual property and cannot be disclosed.

   In the editor for editing a Sigma rule supplied with the application databases, you can only add exclusions from the rule by specifying exclusion settings in the detection section.

   The exclusion template is defined as follows:

   detection:

   exclude1:

   - ...

   condition: not 1 of exclude*

   This template assumes that exclusions are specified using exclude* attributes, and the rule triggering condition assumes that the conditions hidden from the user are satisfied and that none of the specified exclusions are a match.

   For example:

   detection:

   exclude1:

   Image|endswith:

   - '\chrome.exe'

   - '\tor.exe'

   exclude2:

   QueryName|endswith: 'api.parsec.app'

   condition: not 1 of exclude*

8. If you are editing a custom Sigma rule, make the necessary changes throughout the entire rule structure.

   The table contains basic information about the attributes and sections of a Sigma rule, which are interpreted by Kaspersky Endpoint Agent. For more detailed information, follow this link.

   Attribute values are case-sensitive. For example, Kaspersky Endpoint Agent treats the names of the executable files AnyDesk.exe and anyDesk.exe as different.

   Sigma rule structure

   Attribute / Section	Required	Description
   title	Yes	The rule name, which indicates what it detects. The maximum length is 256 characters. For example: title: Creation of a new RAT service
   id	No	The rule's globally unique identifier. For example: id: 929a690e-bef0-4204-a928-ef5e620d6fcc
   status	No	Rule status. Possible values: stable, test, experimental, deprecated, unsupported. For example: status: test
   description	No	A description of the rule and the malicious activity it can detect. The maximum length is 65,535 characters. For example: description: Detects the installation of a new Remote Utilities host application service.
   license	No	License ID according to the SPDX ID specification. The rule is published under the terms of the specified license type.
   author	No	Any specifier that indicates the author of the rule. For example, first name and last name, nickname, social network ID.
   reference	No	Link to the source the rule was taken from. For example, a blog article or white paper.
   date	No	Date when the rule was created in YYYY/MM/DD format.
   modified	No	Date in YYYY/MM/DD format when one of the following rule attributes was changed: title, status, logsource, detection, level.
   tags	No	Tag for categorizing the rule. Read more at this link.
   logsource	Yes	In this section, you can define the source of events that the application will search for anomalies. The main attributes of this section are category, product, and service. Event sources that Kaspersky Endpoint Agent supports Event sources supported by Kaspersky Endpoint Agent   Source (logsource) Event category: process_creation product: windows Kaspersky Endpoint Agent analyzes instances of an internal process startup event that corresponds in content to EventID 1 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. category: driver_load product: windows Kaspersky Endpoint Agent analyzes instances of an internal driver load event that corresponds in content to EventID 6 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. category: image_load product: windows Kaspersky Endpoint Agent analyzes instances of an internal event that corresponds in content to EventID 7 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. category: registry_event product: windows Kaspersky Endpoint Agent analyzes instances of internal events that correspond in content to the events EventID 12, EventID 13, and EventID 14 in the Microsoft-Windows-Sysmon/Operational log and are enriched by Kaspersky Endpoint Agent fields. category: dns_query product: windows Kaspersky Endpoint Agent analyzes instances of an internal event that corresponds in content to EventID 22 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. category: file_rename product: windows Kaspersky Endpoint Agent analyzes instances of an internal event that corresponds in content to an event in the log of the Windows trace service provider Microsoft-Windows-Kernel-File and is enriched by Kaspersky Endpoint Agent fields. category: file_event product: windows Kaspersky Endpoint Agent analyzes instances of an internal event that corresponds in content to EventID 11 in the Microsoft-Windows-Sysmon/Operational log and is enriched by Kaspersky Endpoint Agent fields. product: windows service: application Kaspersky Endpoint Agent analyzes events from the WEL/Application log. product: windows service: security Kaspersky Endpoint Agent analyzes events from the WEL/Security log. product: windows service: system Kaspersky Endpoint Agent analyzes events from the WEL/System log. category: chronicle_journal product: deltav Kaspersky Endpoint Agent analyzes instances of internal events associated with normalized data from the event logs of the Emerson DeltaV system. Source events are not linked to external event logs. product: windows service: powershell-classic Kaspersky Endpoint Agent analyzes events from the Windows PowerShell log. product: windows service: powershell Kaspersky Endpoint Agent analyzes events from the Microsoft-Windows-PowerShell/Operational log.   Read more at this link.
   category	No	Defines the category of products whose event logs the application searches for anomalies. For example: firewall, internet, anti-virus, or generic. logsource: category: firewall
   product	No	Defines the software product or operating system whose event logs the application searches for anomalies. For example: logsource: product: Windows
   service	No	Defines a service whose event logs the application searches for anomalies. For example: logsource: service: AppLocker
   definition	No	Description of the specifics of the source of event logs that application searches for anomalies.
   detection	Yes	This section contains one or more criteria for searching for anomalies in event logs and a rule triggering condition. Lists, dictionaries, or a combination of them can be used as search criteria.
   list	No	A list of the values of any parameter from the event log, combined by a logical OR. For example: detection: selection: OriginalFileName: - 'AnyDesk.exe' - 'TeamViewer.exe' condition: selection In accordance with the condition, the following matches will be searched: OriginalFileName='AnyDesk.exe' OR OriginalFileName='TeamViewer.exe'.
   dictionary	No	event log parameter - value pairs. They are connected by a logical AND. For example: detection: selection: EventLog: Security EventID: 517 condition: selection In accordance with the condition, the following matches will be searched: EventLog='Security' AND Event ID=517.
   combination of list and dictionary	No	A list consisting of event log settings values and dictionaries. For example: detection: selection: EventLog: Security EventID: - 517 - 1102' condition: selection In accordance with the condition, the following matches will be searched: EventLog='Security' AND (Event ID=517 OR Event ID=1102)
   condition	Yes	Rule triggering condition. For example: detection: selection: EventLog: Security condition: selection
   fields	No	Lines from the event log that may be of interest to an analyst for subsequent analysis of the event.
   falsepositives	No	List of known scenarios that may incorrectly trigger the rule. For example: falsepositives: - Use of a utility by system administrators
   level	No	An indicator of the severity of anomalies that can be found using the rule. Possible values: informational, low, medium, high, critical.

9. Click OK to save the changes.