πŸ”€ rules

Matched rules in a Sigma analysis.

🚧

DEPRECATED

Sigma analyses metadata is now included in both the File and File behaviour objects.

The rules relationship returns a list of all matched rules for a given analysis.

This relationship can be retrieved using the relationships API endpoint and contains a list of Sigma Rule objects.

{
  "data": [
    <SIGMA_RULE_OBJECT>,
    <SIGMA_RULE_OBJECT>,
    ...
  ],
  "links": {
    "next": "<string>",
    "self": "<string>"
  },
  "meta": {
    "count": <int>,
    "cursor": "<string>"
  }
}
{
    "data": [
        {
            "attributes": {
                "action": "",
                "author": "Sami Ruohonen",
                "description": "Detects usage of attrib.exe to hide files from users.",
                "detection": {
                    "condition": "selection and not (ini or intel)",
                    "details": {
                        "ini": "{\"CommandLine\":\"*\\\\desktop.ini *\"}",
                        "intel": "{\"CommandLine\":\"+R +H +S +A \\\\\\\\*.cui\",\"ParentCommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\\\\\*.bat\",\"ParentImage\":\"*\\\\cmd.exe\"}",
                        "selection": "{\"CommandLine\":\"* +h *\",\"Image\":\"*\\\\attrib.exe\"}"
                    }
                },
                "false_positives": [
                    "igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)",
                    "msiexec.exe hiding desktop.ini"
                ],
                "fields": [
                    "CommandLine",
                    "ParentCommandLine",
                    "User"
                ],
                "level": "low",
                "log_source": {
                    "category": "process_creation",
                    "definition": "",
                    "product": "windows",
                    "service": ""
                },
                "references": [],
                "source": "Sigma Integrated Rule Set (GitHub)",
                "status": "experimental",
                "tags": [],
                "title": "Hiding Files with Attrib.exe"
            },
            "context_attributes": {
                "match": "$CommandLine: 'attrib  +H monitor.bak', $EventID: '1', $Image: 'C:\\Windows\\System32\\attrib.exe', $ParentCommandLine: 'C:\\Windows\\system32\\cmd.exe /c attrib +H monitor.bak'"
            },
            "id": "5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b",
            "links": {
                "self": "https://www.virustotal.com/api/v3/sigma_rules/5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b"
            },
            "type": "sigma_rule"
        },
        {
            "attributes": {
                "action": "",
                "author": "Sami Ruohonen",
                "description": "Detects usage of attrib.exe to hide files from users.",
                "detection": {
                    "condition": "selection and not (ini or intel)",
                    "details": {
                        "ini": "{\"CommandLine\":\"*\\\\desktop.ini *\"}",
                        "intel": "{\"CommandLine\":\"+R +H +S +A \\\\\\\\*.cui\",\"ParentCommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\\\\\*.bat\",\"ParentImage\":\"*\\\\cmd.exe\"}",
                        "selection": "{\"CommandLine\":\"* +h *\",\"Image\":\"*\\\\attrib.exe\"}"
                    }
                },
                "false_positives": [
                    "igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)",
                    "msiexec.exe hiding desktop.ini"
                ],
                "fields": [
                    "CommandLine",
                    "ParentCommandLine",
                    "User"
                ],
                "level": "low",
                "log_source": {
                    "category": "process_creation",
                    "definition": "",
                    "product": "windows",
                    "service": ""
                },
                "references": [],
                "source": "Sigma Integrated Rule Set (GitHub)",
                "status": "experimental",
                "tags": [],
                "title": "Hiding Files with Attrib.exe"
            },
            "context_attributes": {
                "match": "$CommandLine: 'attrib  +H window_texts.txt', $EventID: '1', $Image: 'C:\\Windows\\System32\\attrib.exe', $ParentCommandLine: 'C:\\Windows\\system32\\cmd.exe /c attrib +H window_texts.txt'"
            },
            "id": "5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b",
            "links": {
                "self": "https://www.virustotal.com/api/v3/sigma_rules/5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b"
            },
            "type": "sigma_rule"
        }
    ],
    "links": {
        "next": "https://www.virustotal.com/api/v3/sigma_analyses/c88c691ab968bd1bff58155ce1d18ef82558c6a655c9c31ae9bd564b8bfc7424/rules?cursor=STIKLg%3D%3D&limit=2",
        "self": "https://www.virustotal.com/api/v3/sigma_analyses/c88c691ab968bd1bff58155ce1d18ef82558c6a655c9c31ae9bd564b8bfc7424/rules?limit=2"
    },
    "meta": {
        "count": 4,
        "cursor": "STIKLg=="
    }
}