Supported Platforms
CloudSigma generates Sigma detection rules for 13 platforms across 5 detection planes. Each platform has specific logsource mappings and field conventions used in rule generation.
Cloud Audit Log
AWS CloudTrail
| Property | Value |
|---|---|
| Platform ID | aws |
| Logsource product | aws |
| Logsource service | cloudtrail |
| Key fields | eventName, eventSource, sourceIPAddress, userIdentity.*, requestParameters.* |
GCP Audit Log
| Property | Value |
|---|---|
| Platform ID | gcp |
| Logsource product | gcp |
| Logsource service | gcp.audit |
| Key fields | protoPayload.methodName, protoPayload.serviceName, protoPayload.authenticationInfo.* |
Azure Activity Log
| Property | Value |
|---|---|
| Platform ID | azure |
| Logsource product | azure |
| Logsource service | activitylogs |
| Key fields | operationName, category, callerIpAddress, identity.*, properties.* |
Endpoint
Windows / Sysmon
| Property | Value |
|---|---|
| Platform ID | windows-sysmon |
| Logsource product | windows |
| Logsource service | sysmon |
| Key fields | Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, TargetObject |
Windows Security
| Property | Value |
|---|---|
| Platform ID | windows-security |
| Logsource product | windows |
| Logsource service | security |
| Key fields | EventID, SubjectUserName, TargetUserName, IpAddress, LogonType, ProcessName |
Windows PowerShell
| Property | Value |
|---|---|
| Platform ID | windows-powershell |
| Logsource product | windows |
| Logsource service | powershell |
| Key fields | ScriptBlockText, CommandLine, HostApplication, HostName |
Linux / auditd
| Property | Value |
|---|---|
| Platform ID | linux-auditd |
| Logsource product | linux |
| Logsource service | auditd |
| Key fields | type, syscall, exe, key, uid, auid, comm, name |
Kubernetes
Kubernetes Audit
| Property | Value |
|---|---|
| Platform ID | kubernetes-audit |
| Logsource product | kubernetes |
| Logsource service | audit |
| Key fields | verb, objectRef.resource, objectRef.namespace, user.username, sourceIPs |
Identity Provider
Okta System Log
| Property | Value |
|---|---|
| Platform ID | okta |
| Logsource product | okta |
| Logsource service | okta |
| Key fields | eventType, actor.alternateId, outcome.result, client.ipAddress, target[].type |
Entra ID Sign-in
| Property | Value |
|---|---|
| Platform ID | entra-id-signin |
| Logsource product | azure |
| Logsource service | signinlogs |
| Key fields | properties.userPrincipalName, properties.ipAddress, properties.status.errorCode |
Entra ID Audit
| Property | Value |
|---|---|
| Platform ID | entra-id-audit |
| Logsource product | azure |
| Logsource service | auditlogs |
| Key fields | properties.operationType, properties.targetResources[].type, properties.result |
WAF
ModSecurity WAF
| Property | Value |
|---|---|
| Platform ID | modsecurity |
| Logsource product | modsecurity |
| Logsource service | auditlog |
| Key fields | transaction.client_ip, transaction.request.uri, rule.id, rule.severity, rule.msg |
AWS WAF
| Property | Value |
|---|---|
| Platform ID | aws-waf |
| Logsource product | aws |
| Logsource service | waf |
| Key fields | action, terminatingRuleId, httpRequest.clientIp, httpRequest.uri, httpRequest.httpMethod |
Using Platform IDs
Pass platform IDs in the targetProviders array when calling POST /v1/generate:
curl -X POST https://cloudsigma.a13e.com/v1/generate \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"inputType": "url",
"url": "https://example.com/advisory",
"options": {
"targetProviders": ["aws", "gcp", "azure", "kubernetes-audit"]
}
}'Omit targetProviders to generate rules for all applicable platforms.
Last updated on