Building Detection Rules with Sigma

What Is This Skill?

"Building Detection Rules with Sigma" enables security teams to author, standardize, and manage detection logic in a vendor-agnostic format. Sigma is an open-source rule specification designed for writing detection rules that describe suspicious or malicious activity in a SIEM-agnostic way. By using Sigma, analysts can define detection content once and convert it to multiple SIEM query languages, such as Splunk SPL, Elastic Query DSL, or Microsoft Sentinel KQL, using translation tools like sigmac or pySigma.

This skill guides you through the process of writing and managing Sigma rules, mapping them to MITRE ATT&CK techniques, and operationalizing them within your SOC or detection engineering team. It also covers translating Sigma rules for deployment across different platforms, making detection logic shareable and reusable.

Why Use It?

Traditional detection engineering often results in rules tied to specific SIEM platforms, making it difficult to reuse detection content or share it across organizations. Sigma rules solve this problem by providing a common, easily readable YAML-based format that abstracts away platform-specific query syntax. This approach offers several advantages:

• Portability: Write a detection rule once and translate it into various SIEM query formats, reducing duplication and effort when supporting multiple platforms.
• Standardization: Sigma enforces a structured rule format, improving consistency and maintainability of detection logic.
• Collaboration: Teams can share and review detection rules more effectively, and leverage a rich ecosystem of community-contributed Sigma rules.
• Detection-as-Code: Sigma rules can be version-controlled, peer-reviewed, and integrated into CI/CD pipelines, supporting modern DevSecOps workflows.
• Threat Intelligence Integration: Quickly operationalize TTPs from threat intelligence reports by translating them into actionable, cross-platform detection rules.

How to Use It

1. Prerequisites

• Python 3.8+ installed

• Install pySigma and any required backends:

  bash

  pip install sigma

• Alternatively, download and use the standalone sigmac tool from the Sigma GitHub repository.

2. Authoring a Sigma

Rule

A Sigma rule is a YAML file comprising metadata, log source definition, detection logic, and references. Below is an example rule detecting suspicious PowerShell execution:

title: Suspicious PowerShell EncodedCommand
id: 123e4567-e89b-12d3-a456-426655440000
description: Detects usage of PowerShell with EncodedCommand, often used for obfuscated execution
status: experimental
author: analyst@example.com
date: 2024/06/01
references:
  - https://attack.mitre.org/techniques/T1059/001/
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: 'EncodedCommand'
  condition: selection
fields:
  - Image
  - CommandLine
level: high
tags:
  - attack.execution
  - attack.t1059.001

3. Mapping to MITRE

ATT&CK

Sigma supports tagging rules with MITRE ATT&CK techniques, improving threat coverage mapping and reporting:

tags:
  - attack.execution
  - attack.t1059.001

4. Converting Sigma

Rules

Use sigmac or pySigma to translate the Sigma rule to your SIEM's syntax. For example, to convert to Splunk SPL:

sigmac -t splunk suspicious_powershell.yml

This outputs a Splunk search query equivalent to your Sigma rule. Repeat for other SIEMs by changing the target backend.

5. Operationalizing

Rules

• Integrate into CI/CD: Store Sigma rules in a version-controlled repository. Use automated pipelines to validate, test, and convert rules before deployment.
• Deploy to SIEM: Import the translated queries into your SIEM as saved searches, detections, or analytics.
• Review & Tune: Regularly review detection efficacy, update rules as TTPs evolve, and contribute improvements back to the community as appropriate.

When to Use It

Apply this skill when:

• Your SOC supports multiple SIEM platforms and needs unified detection content.
• Threat intelligence reports introduce new adversary TTPs requiring detection logic.
• Detection rules are being standardized for sharing within or between organizations.
• You are migrating to a detection-as-code workflow where rules are managed in source control.
• The team needs to convert community Sigma rules for your SIEM environment.

Do not use Sigma for real-time streaming detections or when your SIEM requires advanced features (such as Splunk Risk-Based Alerting) not expressible in the Sigma format.

Important Notes

• Limitations: Sigma is designed for batch and scheduled search queries, not for real-time streaming analytics or advanced SIEM-specific features.
• Log Source Consistency: Effective Sigma rules depend on consistent field naming and log source mapping. Ensure your log sources in the SIEM match the fields used in Sigma rules.
• Testing: Always validate translated queries in a test environment before production deployment to avoid false positives or negatives.
• Community Contributions: Leverage and contribute to the Sigma rule repository to stay current with emerging threats and detection techniques.
• Licensing: Sigma rules and tools are open source (Apache-2.0), but always review licensing and attribution requirements for internal and external sharing.

By mastering Sigma, your team can accelerate detection engineering, streamline threat coverage, and future-proof your SOC against evolving SIEM technologies.