Introduction to SIGMA

SIGMA is an open standard for writing detection rules in a vendor-agnostic format. Think of it as "YARA for logs" - one rule format that can be converted to any SIEM.

Why SIGMA?

Before SIGMA, detection rules were written in proprietary formats:

Splunk SPL
Elastic Query DSL
Microsoft KQL
Sumo Logic queries

This created problems:

Rules couldn't be shared across tools
Changing SIEMs meant rewriting everything
Community rules were fragmented

SIGMA solves this with a universal format.

SIGMA Rule Structure

Every SIGMA rule has the same basic structure:

title: Suspicious PowerShell Download
status: experimental
description: Detects PowerShell downloading files from the internet
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'wget'
            - 'curl'
            - 'DownloadFile'
        Image|endswith: '\powershell.exe'
    condition: selection
level: medium
tags:
    - attack.execution
    - attack.t1059.001

Key Components

Title & Status

title: Clear, descriptive name
status: experimental, test, stable, or deprecated

Description

Explain what the rule detects and why it matters.

Logsource

Defines what logs this rule applies to:

category: process_creation, network_connection, file_event, etc.
product: windows, linux, macos, aws, etc.
service: sysmon, security, powershell, etc.

Detection

The actual detection logic:

selection: Define patterns to match
filter: Define patterns to exclude
condition: Combine selections and filters with AND/OR/NOT

Modifiers

SIGMA supports modifiers to match patterns:

|contains: Field contains the value
|endswith: Field ends with the value
|startswith: Field starts with the value
|re: Regular expression match

Level

Severity of the detection:

low: Informational, might be interesting
medium: Worth investigating
high: Likely malicious
critical: Almost certainly an attack

Converting SIGMA Rules

The power of SIGMA is conversion. The sigma-cli tool converts rules to:

Splunk SPL
Elastic Query DSL
Microsoft Sentinel KQL
Chronicle YARA-L
And many more...

sigma convert -t splunk -p sysmon rule.yml

Writing Good SIGMA Rules

Be specific: Avoid overly broad patterns
Document well: Future you will thank you
Consider performance: Avoid expensive operations
Test thoroughly: Validate before deployment
Use standard fields: Stick to normalized field names

Key Takeaways

SIGMA is a vendor-agnostic detection rule format
Rules include logsource, detection logic, and metadata
Modifiers like |contains and |endswith enable pattern matching
SIGMA rules can be converted to any SIEM format

Introduction to SIGMA

SIGMA is an open standard for writing detection rules in a vendor-agnostic format. Think of it as "YARA for logs" - one rule format that can be converted to any SIEM.

Why SIGMA?

Before SIGMA, detection rules were written in proprietary formats:

Splunk SPL
Elastic Query DSL
Microsoft KQL
Sumo Logic queries

This created problems:

Rules couldn't be shared across tools
Changing SIEMs meant rewriting everything
Community rules were fragmented

SIGMA solves this with a universal format.

SIGMA Rule Structure

Every SIGMA rule has the same basic structure:

title: Suspicious PowerShell Download
status: experimental
description: Detects PowerShell downloading files from the internet
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'wget'
            - 'curl'
            - 'DownloadFile'
        Image|endswith: '\powershell.exe'
    condition: selection
level: medium
tags:
    - attack.execution
    - attack.t1059.001

Key Components

Title & Status

title: Clear, descriptive name
status: experimental, test, stable, or deprecated

Description

Explain what the rule detects and why it matters.

Logsource

Defines what logs this rule applies to:

category: process_creation, network_connection, file_event, etc.
product: windows, linux, macos, aws, etc.
service: sysmon, security, powershell, etc.

Detection

The actual detection logic:

selection: Define patterns to match
filter: Define patterns to exclude
condition: Combine selections and filters with AND/OR/NOT

Modifiers

SIGMA supports modifiers to match patterns:

|contains: Field contains the value
|endswith: Field ends with the value
|startswith: Field starts with the value
|re: Regular expression match

Level

Severity of the detection:

low: Informational, might be interesting
medium: Worth investigating
high: Likely malicious
critical: Almost certainly an attack

Converting SIGMA Rules

The power of SIGMA is conversion. The sigma-cli tool converts rules to:

Splunk SPL
Elastic Query DSL
Microsoft Sentinel KQL
Chronicle YARA-L
And many more...

sigma convert -t splunk -p sysmon rule.yml

Writing Good SIGMA Rules

Be specific: Avoid overly broad patterns
Document well: Future you will thank you
Consider performance: Avoid expensive operations
Test thoroughly: Validate before deployment
Use standard fields: Stick to normalized field names

Key Takeaways

SIGMA is a vendor-agnostic detection rule format
Rules include logsource, detection logic, and metadata
Modifiers like |contains and |endswith enable pattern matching
SIGMA rules can be converted to any SIEM format

Introduction to SIGMA

Introduction to SIGMA

Why SIGMA?

SIGMA Rule Structure

Key Components

Title & Status

Description

Logsource

Detection

Modifiers

Level

Tags

Converting SIGMA Rules

Writing Good SIGMA Rules

Key Takeaways

Introduction to SIGMA

Introduction to SIGMA

Why SIGMA?

SIGMA Rule Structure

Key Components

Title & Status

Description

Logsource

Detection

Modifiers

Level

Tags

Converting SIGMA Rules

Writing Good SIGMA Rules

Key Takeaways