Writing Sigma Rules

Sigma is a generic signature format for SIEM systems. Write detection logic once in Sigma, then convert to any SIEM platform. This portability transforms how organizations develop and share detections.

Sigma Rule Structure

Every Sigma rule has required sections:

title - A brief, descriptive name
status - Production readiness (experimental, test, stable)
logsource - What data the rule analyzes (product, service, category)
detection - The actual detection logic

Optional sections add context: description, references, author, date, modified, tags, level, falsepositives.

Detection Logic

Detection logic combines selections and conditions:

detection:
selection:
EventID: 4688
CommandLine|contains:
- 'whoami'
- 'net user'
- 'net group'
condition: selection

This detects reconnaissance commands by matching process creation events (4688) containing specific strings.

Modifiers extend matching:

• contains: substring matching


• endswith/startswith: position matching


• re: regular expressions


• all: all values must match (instead of any)

Conditions combine selections:

• selection1 and selection2


• selection1 or (selection2 and selection3)


• selection1 and not filter

Common Detection Patterns

Process execution - Match on command lines, process names, or parent-child relationships
Network connections - Match on destinations, ports, or patterns
File operations - Match on file paths, names, or hashes
Registry modifications - Match on keys and values
Authentication events - Match on users, sources, or outcomes

Conversion to SIEM

Sigma rules convert to platform-specific formats using sigmac or pySigma:

sigmac -t splunk -c sysmon rule.yml

This produces SPL for Splunk from a Sigma rule. Converters exist for Splunk, Elastic, Microsoft Sentinel, QRadar, and many others.

Backend configurations map Sigma log sources to platform-specific indexes and field names. Customize these for your environment.