Sigma base fields that work for all vendors

[esikuriansky]

Hello all

First of all, thanks for this great library I really appreciate the great work.

I am trying to write Sigma rules/queries that when translated, will automatically work for major SIEMs.
Splunk, Arcsight, Sentinel etc ..

I can't find the core Sigma fields that would be mapped to corresponding fields for all vendors.

For exmaple:
Writing a DNS query, I see there is not one base standard field

• Query, QueryName, dns_query, r-dns and more are being used throughout the rules and config files I went over.
  Same with destination port ( DestinationPort, dest_port, dst_port )
  This leaves some fields not mapped with specific tools.

Is there not suppose to be a closed set of fields for Sigma queries for such things ?

Maybe I have mistaken the whole structure and would be happy if anyone can assist.

Thank you all

[frack113]

Hi,

• https://github.com/SigmaHQ/sigma/wiki/Taxonomy

Rule should use the original field name.
The space in field nane are replace by _

For windows is easy : Event Viewer select Details and Xml.
For BIND need to works with the rfc 😄

In any case DO NOT use ECS , Splunk or SIEM custom field name.

Not all the backend mapping files are up to date, some old field name may still be in it but not by the rules anymore...
Hope to be usefull