Expand description
AST types for all Sigma constructs: rules, detections, conditions, correlations, and filters.
Reference: Sigma specification V2.0.0 (2024-08-08) Reference: pySigma types, conditions, correlations, rule modules
Structs§
- Correlation
Rule - A Sigma correlation rule.
- Detection
Item - A single detection item: a field (with modifiers) mapped to one or more values.
- Detections
- The complete detection section of a Sigma rule.
- Field
Alias - Field alias mapping in a correlation rule.
- Field
Spec - A field name with optional modifiers, parsed from detection keys like
TargetObject|endswithorDestination|contains|all. - Filter
Rule - A Sigma filter rule that modifies the detection logic of referenced rules.
- LogSource
- Log source specification.
- Related
- A reference to a related Sigma rule.
- Sigma
Collection - A collection of parsed Sigma documents from one or more YAML files.
- Sigma
Rule - A complete Sigma detection rule.
Enums§
- Condition
Expr - Parsed condition expression AST.
- Condition
Operator - Comparison operator in a correlation condition.
- Correlation
Condition - Condition for a correlation rule.
- Correlation
Type - Correlation rule type.
- Detection
- A detection definition: a group of detection items or nested detections.
- Level
- Severity level of a triggered rule.
- Modifier
- All supported Sigma field modifiers.
- Quantifier
- Quantifier in a selector expression.
- Relation
Type - Relationship type for the
relatedfield. - Selector
Pattern - Target pattern in a selector expression.
- Sigma
Document - A single parsed document from a Sigma YAML file.
- Status
- Rule maturity status.