How to OCSFy a SIGMA rule

[sharraj]

SIGMA rules can also be written in OCSF keywords. If user wants to say write a SIGMA rule for AWS Cloudtrail data and using OCSF keywords (assuming original log records of Cloudtrail is converted into OCSF), how we can specify that this is SIGMA rule is using OCSF schema for a given log type. Secondly, user may need to add lot of Observables (or important keys) to be collected on such rule match to generate more contextualized findings. What are possible ways, we can specify such observables in SIGMA rule format.

[frack113]

Hi,
first part is easy with taxonomy now.
Secund part, need more context.
If you mean using "custom field" in the detection , use definition of the logsource

hoping it will help you.