How are Sigma Rules versioned by sigma2stix?

0101001001001 · 4 September 2024 14:55

After importing sigma2stix data using stix2arango

python3 utilities/arango_cti_processor/insert_archive_sigma_rules.py \
  --database forum_demo

I am using this query to get only the latest Sigma STIX objects

FOR doc IN sigma_rules_vertex_collection
    FILTER doc._is_latest == true
    RETURN [doc]

Which is fine.

Looking further I can see rules have different versions over time.

The versions I see include;

FOR doc IN sigma_rules_vertex_collection
    FILTER doc._stix2arango_note != "automatically imported on collection creation"
    RETURN DISTINCT doc._stix2arango_note

[
  "r2023-08-24",
  "r2023-10-09",
  "r2023-10-23",
  "r2023-11-06",
  "r2023-11-20",
  "r2023-12-04",
  "r2023-12-21",
  "r2024-01-15",
  "r2024-01-29",
  "r2024-02-12",
  "r2024-02-26",
  "r2024-03-11",
  "r2024-03-26",
  "r2024-04-29",
  "r2024-05-13"
]

But where do these versions come from?

dgreenwood-dogesec · 4 September 2024 14:57

sigma2stix allows you to define a Github tag in the original Sigma repo, which is how the Sigma team version rulesets

For each version, sigma2stix generates a STIX bundle, which is then imported the stix2arango script hence where the doc._stix2arango_note value comes from.

Old rules (with old versions) will always have the property _is_latest=false so filtering by _is_latest=true is the right approach.