Sigma Rule
What is Sigma Rule?
Sigma RuleA vendor-neutral, YAML-based detection signature for log events that can be converted into queries for SIEM, EDR, or XDR back-ends.
Sigma is an open detection-engineering format created by Florian Roth and Thomas Patzke that lets analysts describe log-based detections once and translate them into many SIEM dialects (Splunk SPL, Elastic ESQL, Microsoft Sentinel KQL, Chronicle, etc.) using converters such as pySigma or Sigma CLI. A Sigma rule combines metadata (id, level, MITRE ATT&CK mapping), a logsource (product, service, category) and a detection block with selectors and a condition. The Sigma HQ repository hosts thousands of community rules covering Windows Event Logs, Sysmon, Linux audit, AWS CloudTrail, Okta, and more, supporting portable, sharable detection content.
● Examples
- 01
A Sigma rule detecting suspicious child processes of winword.exe to flag macro-driven malware.
- 02
Converting a Sigma rule with pySigma into Microsoft Sentinel KQL for an analytics rule deployment.
● Frequently asked questions
What is Sigma Rule?
A vendor-neutral, YAML-based detection signature for log events that can be converted into queries for SIEM, EDR, or XDR back-ends. It belongs to the Defense & Operations category of cybersecurity.
What does Sigma Rule mean?
A vendor-neutral, YAML-based detection signature for log events that can be converted into queries for SIEM, EDR, or XDR back-ends.
How does Sigma Rule work?
Sigma is an open detection-engineering format created by Florian Roth and Thomas Patzke that lets analysts describe log-based detections once and translate them into many SIEM dialects (Splunk SPL, Elastic ESQL, Microsoft Sentinel KQL, Chronicle, etc.) using converters such as pySigma or Sigma CLI. A Sigma rule combines metadata (id, level, MITRE ATT&CK mapping), a logsource (product, service, category) and a detection block with selectors and a condition. The Sigma HQ repository hosts thousands of community rules covering Windows Event Logs, Sysmon, Linux audit, AWS CloudTrail, Okta, and more, supporting portable, sharable detection content.
How do you defend against Sigma Rule?
Defences for Sigma Rule typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Sigma Rule?
Common alternative names include: Sigma signature, Sigma format.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- defense-ops№ 1258
YARA Rule
A textual signature in the YARA language that describes byte, string, or behavioral patterns used to classify and detect malware samples and files.
- forensics-ir№ 627
Log Analysis
The systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
● See also
- № 886Pyramid of Pain
- № 1124Sysmon