Sigma Cheatsheet¶
Sigma is a generic and open signature format that allows you to describe log events in a straightforward manner. It enables security analysts to write detection rules once and convert them to various SIEM formats, making threat detection portable across different security platforms.
## Installation and Setup
### Python Installation
**Install Sigma Tools:**
**Install from Source:**
### Docker Installation
**Docker Setup:**
## Sigma Rule Structure
### Basic Rule Format
**Standard Sigma Rule:**
### Rule Components
**Metadata Fields:**
**Log Source Definition:**
**Detection Logic:**
## Detection Patterns
### Selection Patterns
**Basic Selection:**
**Multiple Selections:**
**Keyword Lists:**
### Field Modifiers
**String Modifiers:**
### Advanced Conditions
**Complex Logic:**
**Aggregation Conditions:**
**Time-based Conditions:**
## Rule Categories
### Process Creation Rules
**Suspicious Process Execution:**
**Command Line Analysis:**
### Network Connection Rules
**Suspicious Outbound Connections:**
### File System Rules
**Suspicious File Creation:**
### Registry Rules
**Registry Persistence:**
## Conversion and Deployment
### Convert Rules to SIEM Formats
**Splunk Conversion:**
**Elastic/ECS Conversion:**
**QRadar Conversion:**
**Microsoft Sentinel Conversion:**
### Backend Configurations
**Custom Backend Config:**
**Field Mapping:**
## Rule Development
### Testing Rules
**Rule Validation:**
**Rule Testing:**
### Rule Optimization
**Performance Optimization:**
**Reduce False Positives:**
## Rule Management
### Rule Collections
**Organize Rules by Category:**
**Rule Metadata Management:**
### Version Control
**Git Workflow:**
**Rule Review Process:**
## Integration Examples
### CI/CD Pipeline
**GitHub Actions Workflow:**
### SIEM Integration
**Splunk Integration:**
**Elasticsearch Integration:**
## Advanced Features
### Aggregation Rules
**Count-based Detection:**
**Statistical Analysis:**
### Correlation Rules
**Multi-stage Attack Detection:**
### Custom Functions
**Custom Detection Logic:**
## Troubleshooting
### Common Issues
**Rule Validation Errors:**
**Conversion Problems:**
**Performance Issues:**
### Debugging
**Debug Mode:**
**Rule Analysis:**
# Install via pip
pip install sigma-cli
# Install with all dependencies
pip install sigma-cli[all]
# Install development version
pip install git+https://github.com/SigmaHQ/sigma.git
# Verify installation
sigma --version
# Clone repository
git clone https://github.com/SigmaHQ/sigma.git
cd sigma
# Install in development mode
pip install -e .
# Install with optional dependencies
pip install -e .[test,dev]
# Pull Sigma Docker image
docker pull sigmahq/sigma
# Run Sigma in container
docker run --rm -v $(pwd):/data sigmahq/sigma convert -t splunk /data/rules/
# Create alias for convenience
alias sigma='docker run --rm -v $(pwd):/data sigmahq/sigma'
title: Suspicious PowerShell Execution
id: 12345678-1234-1234-1234-123456789012
status: experimental
description: Detects suspicious PowerShell command execution
author: Security Team
date: 2023/01/15
modified: 2023/01/20
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-EncodedCommand'
- '-WindowStyle Hidden'
- 'DownloadString'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: medium
# Required fields
title: "Rule Title"
id: "unique-uuid-here"
status: experimental|test|stable
description: "Detailed description"
# Optional metadata
author: "Author Name"
date: 2023/01/15
modified: 2023/01/20
references:
- https://attack.mitre.org/techniques/T1059/001/
tags:
- attack.execution
- attack.t1059.001
level: low|medium|high|critical
logsource:
category: process_creation
product: windows
service: sysmon
definition: "Sysmon Event ID 1"
detection:
selection1:
EventID: 1
Image|endswith: '\cmd.exe'
selection2:
CommandLine|contains:
- 'whoami'
- 'net user'
condition: selection1 and selection2
detection:
selection:
EventID: 4624
LogonType: 3
TargetUserName: 'administrator'
condition: selection
detection:
sel_process:
Image|endswith: '\powershell.exe'
sel_command:
CommandLine|contains:
- 'Invoke-Expression'
- 'IEX'
condition: sel_process and sel_command
detection:
selection:
# Contains substring
CommandLine|contains: 'malware'
# Starts with
Image|startswith: 'C:\Temp\'
# Ends with
FileName|endswith: '.exe'
# Case insensitive
ProcessName|contains|all:
- 'cmd'
- 'powershell'
# Regular expression
CommandLine|re: '.*\.(exe|bat|cmd)
**Numeric Modifiers:**
```yaml
detection:
selection:
# Less than
ProcessId|lt: 1000
# Greater than
FileSize|gt: 1048576
# Greater than or equal
EventID|gte: 4624
# Less than or equal
LogonType|lte: 10
detection:
sel_suspicious_process:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
sel_suspicious_args:
CommandLine|contains:
- '-EncodedCommand'
- 'DownloadString'
sel_network:
DestinationPort:
- 80
- 443
condition: sel_suspicious_process and sel_suspicious_args and sel_network
detection:
selection:
EventID: 4625
TargetUserName: '*'
condition: selection|count(TargetUserName) by SourceNetworkAddress > 10
detection:
selection:
EventID: 4624
LogonType: 3
condition: selection|count() by TargetUserName > 5|timeframe 5m
title: Suspicious Process in Temp Directory
logsource:
category: process_creation
product: windows
detection:
selection:
Image|startswith:
- 'C:\Temp\'
- 'C:\Users\*\AppData\Local\Temp\'
Image|endswith: '.exe'
condition: selection
level: medium
title: Encoded PowerShell Command
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: '-EncodedCommand'
condition: selection
level: high
title: Connection to Suspicious Domain
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.tk'
- '.ml'
- '.ga'
condition: selection
level: medium
title: Executable in Startup Folder
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Startup\'
TargetFilename|endswith: '.exe'
condition: selection
level: high
title: Registry Run Key Modification
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
condition: selection
level: medium
# Convert single rule
sigma convert -t splunk rule.yml
# Convert multiple rules
sigma convert -t splunk rules/*.yml
# Convert with custom config
sigma convert -t splunk -c splunk-windows.yml rule.yml
# Output to file
sigma convert -t splunk rule.yml -o splunk_query.txt
# Convert to Elasticsearch Query DSL
sigma convert -t elasticsearch rule.yml
# Convert to ECS format
sigma convert -t elasticsearch -c ecs-cloudtrail.yml rule.yml
# Convert to Kibana
sigma convert -t kibana rule.yml
# Convert to QRadar AQL
sigma convert -t qradar rule.yml
# Convert with field mapping
sigma convert -t qradar -c qradar-fields.yml rule.yml
# Convert to KQL
sigma convert -t microsoft365defender rule.yml
# Convert to Azure Sentinel
sigma convert -t azure-sentinel rule.yml
# splunk-custom.yml
title: Custom Splunk Configuration
order: 20
backends:
- splunk
logsources:
windows:
category: process_creation
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
fieldmappings:
Image: process_name
CommandLine: process_command_line
ProcessId: process_id
# field-mapping.yml
title: Custom Field Mapping
fieldmappings:
# Windows Security Events
EventID: event_id
TargetUserName: user_name
SourceNetworkAddress: src_ip
DestinationPort: dest_port
# Sysmon Events
Image: process_path
CommandLine: command_line
ProcessId: pid
ParentProcessId: ppid
# Validate rule syntax
sigma check rule.yml
# Validate multiple rules
sigma check rules/*.yml
# Check with specific backend
sigma check -t splunk rule.yml
# Verbose validation
sigma check -v rule.yml
# Test conversion
sigma convert -t splunk rule.yml --dry-run
# Test with sample data
sigma test rule.yml --data sample_logs.json
# Debug rule logic
sigma convert -t splunk rule.yml --debug
# Use specific field matches instead of wildcards
detection:
selection:
# Good - specific match
EventID: 4624
LogonType: 3
# Avoid - too broad
# EventData|contains: 'logon'
condition: selection
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: 'DownloadString'
filter:
User|contains: 'SYSTEM'
ParentImage|endswith: '\services.exe'
condition: selection and not filter
rules/
├── windows/
│ ├── process_creation/
│ ├── network_connection/
│ ├── file_event/
│ └── registry_event/
├── linux/
│ ├── process_creation/
│ └── network_connection/
└── cloud/
├── aws/
├── azure/
└── gcp/
# Use consistent tagging
tags:
- attack.execution
- attack.t1059.001
- detection.emerging_threats
- platform.windows
- data_source.process_monitoring
# Create feature branch for new rule
git checkout -b feature/new-detection-rule
# Add rule file
git add rules/windows/process_creation/suspicious_powershell.yml
# Commit with descriptive message
git commit -m "Add detection for suspicious PowerShell execution"
# Push and create pull request
git push origin feature/new-detection-rule
# Validate before commit
sigma check rules/windows/process_creation/*.yml
# Test conversion to target SIEM
sigma convert -t splunk rules/windows/process_creation/new_rule.yml
# Check for duplicates
grep -r "title:" rules/|grep "Suspicious PowerShell"
name: Sigma Rule Validation
on: [push, pull_request]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: '3.9'
- name: Install Sigma
run: pip install sigma-cli
- name: Validate Rules
run:|
find rules/ -name "*.yml" -exec sigma check \{\} \;
- name: Test Conversions
run:|
sigma convert -t splunk rules/windows/process_creation/*.yml
sigma convert -t elasticsearch rules/linux/process_creation/*.yml
#!/bin/bash
# deploy-to-splunk.sh
RULES_DIR="rules/windows"
SPLUNK_CONFIG="configs/splunk-windows.yml"
OUTPUT_DIR="splunk_searches"
# Convert rules to Splunk
for rule in $RULES_DIR/*.yml; do
rule_name=$(basename "$rule" .yml)
sigma convert -t splunk -c $SPLUNK_CONFIG "$rule" > "$OUTPUT_DIR/$\{rule_name\}.spl"
done
# Deploy to Splunk via REST API
for search in $OUTPUT_DIR/*.spl; do
search_name=$(basename "$search" .spl)
curl -k -u admin:password \
-d "name=$search_name" \
-d "search=$(cat $search)" \
https://splunk:8089/services/saved/searches
done
import os
import yaml
from elasticsearch import Elasticsearch
from sigma.cli.convert import convert_rule
def deploy_sigma_rules_to_elasticsearch():
"""Deploy Sigma rules as Elasticsearch Watcher alerts"""
es = Elasticsearch(['localhost:9200'])
rules_dir = 'rules/linux'
for rule_file in os.listdir(rules_dir):
if rule_file.endswith('.yml'):
rule_path = os.path.join(rules_dir, rule_file)
# Convert Sigma rule to Elasticsearch query
es_query = convert_rule(rule_path, 'elasticsearch')
# Create Watcher alert
with open(rule_path, 'r') as f:
rule_data = yaml.safe_load(f)
watcher_config = \{
"trigger": \{
"schedule": \{"interval": "5m"\}
\},
"input": \{
"search": \{
"request": \{
"search_type": "query_then_fetch",
"indices": ["logs-*"],
"body": \{
"query": es_query
\}
\}
\}
\},
"condition": \{
"compare": \{
"ctx.payload.hits.total": \{"gt": 0\}
\}
\},
"actions": \{
"log_alert": \{
"logging": \{
"text": f"Sigma rule triggered: \{rule_data['title']\}"
\}
\}
\}
\}
# Deploy to Elasticsearch
rule_id = rule_data['id']
es.watcher.put_watch(id=rule_id, body=watcher_config)
title: Multiple Failed Logons
logsource:
category: authentication
product: windows
detection:
selection:
EventID: 4625
TargetUserName: '*'
condition: selection|count(TargetUserName) by SourceNetworkAddress > 5
timeframe: 5m
level: medium
title: Unusual Process Execution Volume
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
condition: selection|count() by Computer > avg(count()) * 3
timeframe: 1h
level: medium
title: Credential Dumping Followed by Lateral Movement
logsource:
category: process_creation
product: windows
detection:
stage1:
Image|endswith: '\mimikatz.exe'
CommandLine|contains: 'sekurlsa::logonpasswords'
stage2:
Image|endswith: '\psexec.exe'
CommandLine|contains: '\\\\*'
condition: stage1 followed by stage2
timeframe: 30m
level: high
title: Entropy-based Suspicious String Detection
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*'
condition: selection|entropy(CommandLine) > 6.5
level: medium
# Check YAML syntax
python -c "import yaml; yaml.safe_load(open('rule.yml'))"
# Validate Sigma rule structure
sigma check rule.yml -v
# Check field mappings
sigma convert -t splunk rule.yml --debug
# List available backends
sigma list backends
# Check backend configuration
sigma list modifiers -t splunk
# Test with minimal rule
sigma convert -t splunk -e 'detection: \{selection: \{EventID: 1\}, condition: selection\}'
# Profile rule conversion
time sigma convert -t splunk rules/*.yml
# Check rule complexity
grep -c "condition:" rule.yml
grep -c "|" rule.yml # Count modifiers
# Optimize rule structure
sigma convert -t splunk rule.yml --optimize
This comprehensive Sigma cheatsheet covers rule development, conversion, deployment, and advanced features for effective threat detection across multiple SIEM platforms.
# Base64 encoded
CommandLine|base64offset|contains: 'powershell'
```
Numeric Modifiers: CODE_BLOCK_11
Advanced Conditions¶
Complex Logic: CODE_BLOCK_12
Aggregation Conditions: CODE_BLOCK_13
Time-based Conditions: CODE_BLOCK_14
Rule Categories¶
Process Creation Rules¶
Suspicious Process Execution: CODE_BLOCK_15
Command Line Analysis: CODE_BLOCK_16
Network Connection Rules¶
Suspicious Outbound Connections: CODE_BLOCK_17
File System Rules¶
Suspicious File Creation: CODE_BLOCK_18
Registry Rules¶
Registry Persistence: CODE_BLOCK_19
Conversion and Deployment¶
Convert Rules to SIEM Formats¶
Splunk Conversion: CODE_BLOCK_20
Elastic/ECS Conversion: CODE_BLOCK_21
QRadar Conversion: CODE_BLOCK_22
Microsoft Sentinel Conversion: CODE_BLOCK_23
Backend Configurations¶
Custom Backend Config: CODE_BLOCK_24
Field Mapping: CODE_BLOCK_25
Rule Development¶
Testing Rules¶
Rule Validation: CODE_BLOCK_26
Rule Testing: CODE_BLOCK_27
Rule Optimization¶
Performance Optimization: CODE_BLOCK_28
Reduce False Positives: CODE_BLOCK_29
Rule Management¶
Rule Collections¶
Organize Rules by Category: CODE_BLOCK_30
Rule Metadata Management: CODE_BLOCK_31
Version Control¶
Git Workflow: CODE_BLOCK_32
Rule Review Process: CODE_BLOCK_33
Integration Examples¶
CI/CD Pipeline¶
GitHub Actions Workflow: CODE_BLOCK_34
SIEM Integration¶
Splunk Integration: CODE_BLOCK_35
Elasticsearch Integration: CODE_BLOCK_36
Advanced Features¶
Aggregation Rules¶
Count-based Detection: CODE_BLOCK_37
Statistical Analysis: CODE_BLOCK_38
Correlation Rules¶
Multi-stage Attack Detection: CODE_BLOCK_39
Custom Functions¶
Custom Detection Logic: CODE_BLOCK_40
Troubleshooting¶
Common Issues¶
Rule Validation Errors: CODE_BLOCK_41
Conversion Problems: CODE_BLOCK_42
Performance Issues: CODE_BLOCK_43
Debugging¶
Debug Mode: CODE_BLOCK_44
Rule Analysis: CODE_BLOCK_45