Detection Requirements: Monitor all access to cardholder data environments
Sigma Tags: pci-dss.10.2.1
Example Rules:
- File access to cardholder data locations
- Database queries accessing payment card fields
- Application logs showing cardholder data retrieval
tags:
- pci-dss.10.2.1
logsource:
category: file_event
detection:
selection:
TargetFilename|contains: '\cardholder-data\'Sigma Tags: pci-dss.10.2.2
Example Rules:
- Privileged account usage
- sudo/runas commands
- Administrative actions on critical systems
tags:
- pci-dss.10.2.2
logsource:
category: process_creation
detection:
selection:
User|contains: 'admin'Sigma Tags: pci-dss.10.2.4
Example Rules:
- Failed authentication attempts
- Account lockouts
- Access denied events
tags:
- pci-dss.10.2.4
logsource:
category: authentication
detection:
selection:
EventID: 4625 # Failed logonSigma Tags: pci-dss.10.2.5
Example Rules:
- Account creation/deletion/modification
- Password changes
- Multi-factor authentication events
tags:
- pci-dss.10.2.5
logsource:
category: authentication
detection:
selection:
EventID:
- 4720 # Account created
- 4724 # Password resetSigma Tags: pci-dss.10.2.7
Example Rules:
- System service creation
- Scheduled task creation
- New user account creation
tags:
- pci-dss.10.2.7
logsource:
category: process_creation
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains: 'create'Controls: Organization defines auditable events
Sigma Tags: nist-800-53.au-2
Coverage:
- Security-relevant events
- Success and failure of events
- Actions by privileged users
Controls: Audit records contain sufficient information
Sigma Tags: nist-800-53.au-3
Required Fields:
- Event type, date/time, outcome
- Subject identity, object identity
- Data source
Controls: Review and analyze audit records
Sigma Tags: nist-800-53.au-6
Detection Focus:
- Automated scanning for anomalies
- Correlation of audit records
- Investigation and reporting
Controls: System provides audit record generation
Sigma Tags: nist-800-53.au-12
Coverage:
- Generate audit records for defined events
- Allow authorized users to select auditable events
- Privileged commands
Controls: Monitor the system to detect attacks and indicators
Sigma Tags: nist-800-53.si-4
Detection Coverage:
- Unauthorized access attempts
- Unauthorized use of privileges
- Malicious code detection
tags:
- nist-800-53.si-4
- nist-800-53.au-12
logsource:
category: process_creation
detection:
selection:
CommandLine|contains: 'mimikatz'Controls: Account creation, modification, removal
Sigma Tags: nist-800-53.ac-2
Example Rules:
- Account lifecycle events
- Privileged account monitoring
- Account attribute changes
Controls: Uniquely identify and authenticate users
Sigma Tags: nist-800-53.ia-2
Example Rules:
- Multi-factor authentication
- Authentication failures
- Session management
Control: Event logs recording user activities, exceptions, and security events
Sigma Tags: iso27001.a.12.4.1
Requirements:
- User IDs
- System activities
- Date, time, and details of key events
- Device identity or location
- Records of successful and rejected system access attempts
tags:
- iso27001.a.12.4.1
logsource:
category: authentication
detection:
selection:
EventID:
- 4624 # Successful logon
- 4625 # Failed logonControl: Logging facilities and log information protected
Sigma Tags: iso27001.a.12.4.2
Detection Focus:
- Unauthorized access to logs
- Log deletion or modification
- Log integrity violations
Control: System administrator and operator activities logged
Sigma Tags: iso27001.a.12.4.3
Example Rules:
- Privileged command execution
- System configuration changes
- Administrative access
tags:
- iso27001.a.12.4.3
logsource:
category: process_creation
detection:
selection:
User|contains:
- 'admin'
- 'root'Control: Account management processes
Sigma Tags: iso27001.a.9.2.1
Example Rules:
- Account creation
- Account deletion
- Account modification
Control: Access to information and systems restricted
Sigma Tags: iso27001.a.9.4.1
Detection Focus:
- Unauthorized access attempts
- Privilege escalation
- Access control violations
Criteria: Restrict access to authorized users
Detection Coverage:
- Authentication monitoring
- Authorization violations
- Privileged access usage
Criteria: Monitor system components
Detection Coverage:
- Security event monitoring
- Anomaly detection
- Threat detection
Criteria: Evaluate events and respond
Detection Focus:
- Security incident detection
- Alert generation and escalation
- Response actions
Use this format for compliance tags:
tags:
- {framework}.{control-id}Examples:
tags:
- pci-dss.10.2.5
- nist-800-53.au-2
- iso27001.a.12.4.1Rules can map to multiple frameworks:
title: Failed Authentication Monitoring
tags:
- attack.credential_access
- attack.t1110
- pci-dss.10.2.4
- pci-dss.10.2.5
- nist-800-53.au-2
- nist-800-53.au-12
- nist-800-53.ia-2
- iso27001.a.12.4.1
- iso27001.a.9.2.1Use compliance_coverage.py script to analyze rule coverage:
# Analyze PCI-DSS coverage
python scripts/compliance_coverage.py --directory rules/ --framework pci-dss
# Generate coverage report
python scripts/compliance_coverage.py --directory rules/ --framework nist-800-53 --report coverage.md