πŸ”€ rules

Matched rules in a Sigma analysis.

🚧

DEPRECATED

Sigma analyses metadata is now included in both the File and File behaviour objects.

The rules relationship returns a list of all matched rules for a given analysis.

This relationship can be retrieved using the relationships API endpoint and contains a list of Sigma Rule objects.

{ "data": [ <SIGMA_RULE_OBJECT>, <SIGMA_RULE_OBJECT>, ... ], "links": { "next": "<string>", "self": "<string>" }, "meta": { "count": <int>, "cursor": "<string>" } }
{ "data": [ { "attributes": { "action": "", "author": "Sami Ruohonen", "description": "Detects usage of attrib.exe to hide files from users.", "detection": { "condition": "selection and not (ini or intel)", "details": { "ini": "{\"CommandLine\":\"*\\\\desktop.ini *\"}", "intel": "{\"CommandLine\":\"+R +H +S +A \\\\\\\\*.cui\",\"ParentCommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\\\\\*.bat\",\"ParentImage\":\"*\\\\cmd.exe\"}", "selection": "{\"CommandLine\":\"* +h *\",\"Image\":\"*\\\\attrib.exe\"}" } }, "false_positives": [ "igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", "msiexec.exe hiding desktop.ini" ], "fields": [ "CommandLine", "ParentCommandLine", "User" ], "level": "low", "log_source": { "category": "process_creation", "definition": "", "product": "windows", "service": "" }, "references": [], "source": "Sigma Integrated Rule Set (GitHub)", "status": "experimental", "tags": [], "title": "Hiding Files with Attrib.exe" }, "context_attributes": { "match": "$CommandLine: 'attrib +H monitor.bak', $EventID: '1', $Image: 'C:\\Windows\\System32\\attrib.exe', $ParentCommandLine: 'C:\\Windows\\system32\\cmd.exe /c attrib +H monitor.bak'" }, "id": "5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b", "links": { "self": "https://www.virustotal.com/api/v3/sigma_rules/5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b" }, "type": "sigma_rule" }, { "attributes": { "action": "", "author": "Sami Ruohonen", "description": "Detects usage of attrib.exe to hide files from users.", "detection": { "condition": "selection and not (ini or intel)", "details": { "ini": "{\"CommandLine\":\"*\\\\desktop.ini *\"}", "intel": "{\"CommandLine\":\"+R +H +S +A \\\\\\\\*.cui\",\"ParentCommandLine\":\"C:\\\\WINDOWS\\\\system32\\\\\\\\*.bat\",\"ParentImage\":\"*\\\\cmd.exe\"}", "selection": "{\"CommandLine\":\"* +h *\",\"Image\":\"*\\\\attrib.exe\"}" } }, "false_positives": [ "igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", "msiexec.exe hiding desktop.ini" ], "fields": [ "CommandLine", "ParentCommandLine", "User" ], "level": "low", "log_source": { "category": "process_creation", "definition": "", "product": "windows", "service": "" }, "references": [], "source": "Sigma Integrated Rule Set (GitHub)", "status": "experimental", "tags": [], "title": "Hiding Files with Attrib.exe" }, "context_attributes": { "match": "$CommandLine: 'attrib +H window_texts.txt', $EventID: '1', $Image: 'C:\\Windows\\System32\\attrib.exe', $ParentCommandLine: 'C:\\Windows\\system32\\cmd.exe /c attrib +H window_texts.txt'" }, "id": "5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b", "links": { "self": "https://www.virustotal.com/api/v3/sigma_rules/5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b" }, "type": "sigma_rule" } ], "links": { "next": "https://www.virustotal.com/api/v3/sigma_analyses/c88c691ab968bd1bff58155ce1d18ef82558c6a655c9c31ae9bd564b8bfc7424/rules?cursor=STIKLg%3D%3D&limit=2", "self": "https://www.virustotal.com/api/v3/sigma_analyses/c88c691ab968bd1bff58155ce1d18ef82558c6a655c9c31ae9bd564b8bfc7424/rules?limit=2" }, "meta": { "count": 4, "cursor": "STIKLg==" } }