Sigma

Sigma is a community skill for writing and managing Sigma detection rules, covering rule syntax, log source mapping, detection logic, SIEM integration, and rule conversion for cross-platform security monitoring.

What Is This?

Overview

Sigma provides tools for creating generic detection rules that can be converted to various SIEM query languages. It covers rule syntax that defines detection logic in a YAML-based format independent of any specific SIEM platform, log source mapping that specifies which event categories and products the rule targets, detection logic that combines field conditions with boolean operators to match malicious patterns, SIEM integration that converts Sigma rules to Splunk, Elastic, and other query formats, and rule conversion that transforms generic rules into platform-specific queries using sigma-cli. The skill helps security teams write portable detection rules.

Who Should Use This

This skill serves security analysts writing detection rules for SOC operations, threat hunters creating indicators for suspicious activity, and detection engineers maintaining rule repositories across SIEM platforms.

Why Use It?

Problems It Solves

Writing detection rules separately for each SIEM platform duplicates effort and creates maintenance burden. Sharing threat intelligence as vendor-specific queries limits adoption across organizations with different tools. Detection logic embedded in SIEM-specific syntax is difficult to review and maintain. Migrating between SIEM platforms requires rewriting all existing detection rules.

Core Highlights

Rule author writes vendor-neutral detection logic in YAML. Log source mapper targets specific event categories and products. Condition builder combines field matching with boolean operators. Rule converter transforms Sigma rules to SIEM query languages.

How to Use It?

Basic Usage

title: Suspicious
  PowerShell Execution
id: a1b2c3d4-e5f6
status: experimental
description: >
  Detects suspicious
  PowerShell command
  line patterns.
logsource:
  category: process_creation
  product: windows
detection:
  selection_process:
    Image|endswith:
      - '\\powershell.exe'
      - '\\pwsh.exe'
  selection_flags:
    CommandLine|contains:
      - '-encodedcommand'
      - '-windowstyle hidden'
      - '-exec bypass'
  condition: >
    selection_process
    and selection_flags
level: high
tags:
  - attack.execution
  - attack.t1059.001
falsepositives:
  - Admin scripts

Real-World Examples

import yaml
import subprocess
from pathlib import Path

class SigmaManager:
  def __init__(
    self,
    rules_dir: str
  ):
    self.rules_dir = Path(
      rules_dir)

  def load_rules(
    self
  ) -> list:
    rules = []
    for f in (
      self.rules_dir
      .glob('*.yml')
    ):
      with open(f) as fh:
        rule = yaml.safe_load(
          fh)
        rule['_file'] = (
          f.name)
        rules.append(rule)
    return rules

  def convert(
    self,
    rule_file: str,
    target: str
      = 'splunk'
  ) -> str:
    result = subprocess.run(
      ['sigma', 'convert',
       '-t', target,
       str(self.rules_dir
         / rule_file)],
      capture_output=True,
      text=True)
    return result.stdout

  def stats(self) -> dict:
    rules = self.load_rules()
    levels = {}
    for r in rules:
      lv = r.get(
        'level', 'unknown')
      levels[lv] = (
        levels.get(lv, 0)
        + 1)
    return {
      'total': len(rules),
      'by_level': levels}

mgr = SigmaManager(
  'rules/')
stats = mgr.stats()
print(
  f'Total rules: '
  f'{stats["total"]}')
for lv, ct in (
  stats['by_level']
  .items()
):
  print(f'  {lv}: {ct}')

query = mgr.convert(
  'powershell.yml',
  'splunk')
print(query)

Advanced Tips

Use Sigma modifiers like contains, endswith, and regex for flexible field matching patterns. Organize rules by MITRE ATT&CK technique tags for coverage mapping against the attack framework. Test converted rules against known malicious and benign log samples to verify detection accuracy.

When to Use It?

Use Cases

Write a Sigma rule to detect encoded PowerShell execution across any SIEM platform. Convert a repository of Sigma rules to Splunk queries for deployment to a SOC environment. Audit detection coverage by mapping existing Sigma rules to MITRE ATT&CK techniques.

Related Topics

Sigma rules, SIEM, detection engineering, threat hunting, MITRE ATT&CK, log analysis, and security monitoring.

Important Notes

Requirements

Sigma CLI tool installed for rule conversion and validation. Understanding of log source categories and field naming conventions. Target SIEM platform for deploying converted detection queries.

Usage Recommendations

Do: tag rules with MITRE ATT&CK identifiers for coverage tracking. Test rules against both malicious and benign samples before deploying to production. Document false positive sources in each rule for analyst reference during triage.

Don't: deploy rules without testing since overly broad patterns generate excessive false positives. Assume converted queries work identically across all SIEM platforms since field mappings may differ. Write rules targeting specific log formats without using the logsource abstraction layer.

Limitations

Rule conversion quality depends on the availability of field mappings for the target SIEM platform. Complex detection logic using aggregations or temporal conditions may not convert cleanly to all backends. Sigma rules detect known patterns and cannot identify novel attack techniques without rule updates.