Tags_specification.md

Tags

The following document defines the standardized tags that can be used to categorize the different Sigma rules.

• Version 1.0.1
• Release date 2022/12/19

Summary

• Summary
• Namespaces
  • Namespace: attack
  • Namespace: car
  • Namespace: cve
  • Namespace: tlp
• History

Namespaces

• attack: Categorization according to MITRE ATT&CK. To get the current supported version of ATT&CK please visite MITRE CTI
• car: Link to the corresponding MITRE Cyber Analytics Repository (CAR)
• tlp: Traffic Light Protocol

Namespace: attack

• t1234: Refers to a technique
• g1234: Refers to a group
• s1234: Refers to software

Tactics:

• initial_access: Initial Access
• execution: Execution
• persistence: Persistence
• privilege_escalation: Privilege Escalation
• defense_evasion: Defense Evasion
• credential_access: Credential Access
• discovery: Discovery
• lateral_movement: Lateral_Movement
• collection: Collection
• exfiltration: Exfiltration
• command_and_control: Command and Control
• impact: Impact

Namespace: car

Use the CAR tag from the analytics repository without the prepending CAR-. Example tag: car.2016-04-005.

Namespace: cve

Use the CVE tag from the mitre in lower case seperated by dots. Example tag: cve.2021.44228.

Namespace: tlp

All TLP levels defined by the FIRST TLP-SIG in lower case. Example tag: tlp.amber.

History

• 2022/12/19 Tags V1.0.1
  • Minor updates and tweaks
• 2022/09/18 Tags V1.0.0
  • Initial formalisation from the sigma wiki
• 2017 Sigma creation