Sigma Rules

Sigma is an open, generic signature format for describing log-based detections in a human-readable YAML structure. Rules are written once and converted to platform-specific queries — Splunk SPL, Elasticsearch Query DSL, Microsoft Sentinel KQL, and others — using tools like sigma-cli or pySigma. Maintained by the SigmaHQ organization on GitHub.

SIEM fragmentation means detection logic is usually locked to a single platform, making sharing and migration expensive. Sigma breaks that lock: a rule written to detect an LSASS credential dump works identically whether your SOC runs Splunk or Sentinel. This makes community-shared detections immediately actionable across any environment.

A Sigma rule is a YAML file with standardized fields: title, status, logsource (defining the log category and product), detection (the matching logic with keywords, field filters, and condition), and falsepositives. The logsource block abstracts the underlying data source, while the detection block uses a simple selection/filter/condition grammar. A backend converter maps logsource and field names to the target SIEM's schema and query syntax. Rules can reference MITRE ATT&CK technique IDs in the tags field, enabling coverage mapping. The SigmaHQ repository hosts thousands of community-maintained rules covering Windows, Linux, cloud, and network log sources.