Skip to content

Sigma Cheatsheet

Sigma is a generic and open signature format that allows you to describe log events in a straightforward manner. It enables security analysts to write detection rules once and convert them to various SIEM formats, making threat detection portable across different security platforms.

Installation and Setup

Python Installation

Install Sigma Tools:

bash
# Install via pip
pip install sigma-cli

# Install with all dependencies
pip install sigma-cli[all]

# Install development version
pip install git+https://github.com/SigmaHQ/sigma.git

# Verify installation
sigma --version

Install from Source:

bash
# Clone repository
git clone https://github.com/SigmaHQ/sigma.git
cd sigma

# Install in development mode
pip install -e .

# Install with optional dependencies
pip install -e .[test,dev]

Docker Installation

Docker Setup:

bash
# Pull Sigma Docker image
docker pull sigmahq/sigma

# Run Sigma in container
docker run --rm -v $(pwd):/data sigmahq/sigma convert -t splunk /data/rules/

# Create alias for convenience
alias sigma='docker run --rm -v $(pwd):/data sigmahq/sigma'

Sigma Rule Structure

Basic Rule Format

Standard Sigma Rule:

yaml
title: Suspicious PowerShell Execution
id: 12345678-1234-1234-1234-123456789012
status: experimental
description: Detects suspicious PowerShell command execution
author: Security Team
date: 2023/01/15
modified: 2023/01/20
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - '-EncodedCommand'
            - '-WindowStyle Hidden'
            - 'DownloadString'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: medium

Rule Components

Metadata Fields:

yaml
# Required fields
title: "Rule Title"
id: "unique-uuid-here"
status: experimental|test|stable
description: "Detailed description"

# Optional metadata
author: "Author Name"
date: 2023/01/15
modified: 2023/01/20
references:
    - https://attack.mitre.org/techniques/T1059/001/
tags:
    - attack.execution
    - attack.t1059.001
level: low|medium|high|critical

Log Source Definition:

yaml
logsource:
    category: process_creation
    product: windows
    service: sysmon
    definition: "Sysmon Event ID 1"

Detection Logic:

yaml
detection:
    selection1:
        EventID: 1
        Image|endswith: '\cmd.exe'
    selection2:
        CommandLine|contains:
            - 'whoami'
            - 'net user'
    condition: selection1 and selection2

Detection Patterns

Selection Patterns

Basic Selection:

yaml
detection:
    selection:
        EventID: 4624
        LogonType: 3
        TargetUserName: 'administrator'
    condition: selection

Multiple Selections:

yaml
detection:
    sel_process:
        Image|endswith: '\powershell.exe'
    sel_command:
        CommandLine|contains:
            - 'Invoke-Expression'
            - 'IEX'
    condition: sel_process and sel_command

Keyword Lists:

yaml
detection:
    keywords:
        - 'mimikatz'
        - 'sekurlsa'
        - 'kerberos'
    condition: keywords

Field Modifiers

String Modifiers:

yaml
detection:
    selection:
        # Contains substring
        CommandLine|contains: 'malware'
        
        # Starts with
        Image|startswith: 'C:\Temp\'
        
        # Ends with
        FileName|endswith: '.exe'
        
        # Case insensitive
        ProcessName|contains|all:
            - 'cmd'
            - 'powershell'
        
        # Regular expression
        CommandLine|re: '.*\.(exe|bat|cmd)$'
        
        # Base64 encoded
        CommandLine|base64offset|contains: 'powershell'

Numeric Modifiers:

yaml
detection:
    selection:
        # Less than
        ProcessId|lt: 1000
        
        # Greater than
        FileSize|gt: 1048576
        
        # Greater than or equal
        EventID|gte: 4624
        
        # Less than or equal
        LogonType|lte: 10

Advanced Conditions

Complex Logic:

yaml
detection:
    sel_suspicious_process:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    sel_suspicious_args:
        CommandLine|contains:
            - '-EncodedCommand'
            - 'DownloadString'
    sel_network:
        DestinationPort:
            - 80
            - 443
    condition: sel_suspicious_process and sel_suspicious_args and sel_network

Aggregation Conditions:

yaml
detection:
    selection:
        EventID: 4625
        TargetUserName: '*'
    condition: selection | count(TargetUserName) by SourceNetworkAddress > 10

Time-based Conditions:

yaml
detection:
    selection:
        EventID: 4624
        LogonType: 3
    condition: selection | count() by TargetUserName > 5 | timeframe 5m

Rule Categories

Process Creation Rules

Suspicious Process Execution:

yaml
title: Suspicious Process in Temp Directory
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|startswith:
            - 'C:\Temp\'
            - 'C:\Users\*\AppData\Local\Temp\'
        Image|endswith: '.exe'
    condition: selection
level: medium

Command Line Analysis:

yaml
title: Encoded PowerShell Command
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: '-EncodedCommand'
    condition: selection
level: high

Network Connection Rules

Suspicious Outbound Connections:

yaml
title: Connection to Suspicious Domain
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|endswith:
            - '.tk'
            - '.ml'
            - '.ga'
    condition: selection
level: medium

File System Rules

Suspicious File Creation:

yaml
title: Executable in Startup Folder
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: '\Startup\'
        TargetFilename|endswith: '.exe'
    condition: selection
level: high

Registry Rules

Registry Persistence:

yaml
title: Registry Run Key Modification
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
    condition: selection
level: medium

Conversion and Deployment

Convert Rules to SIEM Formats

Splunk Conversion:

bash
# Convert single rule
sigma convert -t splunk rule.yml

# Convert multiple rules
sigma convert -t splunk rules/*.yml

# Convert with custom config
sigma convert -t splunk -c splunk-windows.yml rule.yml

# Output to file
sigma convert -t splunk rule.yml -o splunk_query.txt

Elastic/ECS Conversion:

bash
# Convert to Elasticsearch Query DSL
sigma convert -t elasticsearch rule.yml

# Convert to ECS format
sigma convert -t elasticsearch -c ecs-cloudtrail.yml rule.yml

# Convert to Kibana
sigma convert -t kibana rule.yml

QRadar Conversion:

bash
# Convert to QRadar AQL
sigma convert -t qradar rule.yml

# Convert with field mapping
sigma convert -t qradar -c qradar-fields.yml rule.yml

Microsoft Sentinel Conversion:

bash
# Convert to KQL
sigma convert -t microsoft365defender rule.yml

# Convert to Azure Sentinel
sigma convert -t azure-sentinel rule.yml

Backend Configurations

Custom Backend Config:

yaml
# splunk-custom.yml
title: Custom Splunk Configuration
order: 20
backends:
  - splunk
logsources:
  windows:
    category: process_creation
    conditions:
      EventID: 1
    rewrite:
      product: windows
      service: sysmon
fieldmappings:
  Image: process_name
  CommandLine: process_command_line
  ProcessId: process_id

Field Mapping:

yaml
# field-mapping.yml
title: Custom Field Mapping
fieldmappings:
  # Windows Security Events
  EventID: event_id
  TargetUserName: user_name
  SourceNetworkAddress: src_ip
  DestinationPort: dest_port
  
  # Sysmon Events
  Image: process_path
  CommandLine: command_line
  ProcessId: pid
  ParentProcessId: ppid

Rule Development

Testing Rules

Rule Validation:

bash
# Validate rule syntax
sigma check rule.yml

# Validate multiple rules
sigma check rules/*.yml

# Check with specific backend
sigma check -t splunk rule.yml

# Verbose validation
sigma check -v rule.yml

Rule Testing:

bash
# Test conversion
sigma convert -t splunk rule.yml --dry-run

# Test with sample data
sigma test rule.yml --data sample_logs.json

# Debug rule logic
sigma convert -t splunk rule.yml --debug

Rule Optimization

Performance Optimization:

yaml
# Use specific field matches instead of wildcards
detection:
    selection:
        # Good - specific match
        EventID: 4624
        LogonType: 3
        
        # Avoid - too broad
        # EventData|contains: 'logon'
    condition: selection

Reduce False Positives:

yaml
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: 'DownloadString'
    filter:
        User|contains: 'SYSTEM'
        ParentImage|endswith: '\services.exe'
    condition: selection and not filter

Rule Management

Rule Collections

Organize Rules by Category:

bash
rules/
├── windows/
   ├── process_creation/
   ├── network_connection/
   ├── file_event/
   └── registry_event/
├── linux/
   ├── process_creation/
   └── network_connection/
└── cloud/
    ├── aws/
    ├── azure/
    └── gcp/

Rule Metadata Management:

yaml
# Use consistent tagging
tags:
    - attack.execution
    - attack.t1059.001
    - detection.emerging_threats
    - platform.windows
    - data_source.process_monitoring

Version Control

Git Workflow:

bash
# Create feature branch for new rule
git checkout -b feature/new-detection-rule

# Add rule file
git add rules/windows/process_creation/suspicious_powershell.yml

# Commit with descriptive message
git commit -m "Add detection for suspicious PowerShell execution"

# Push and create pull request
git push origin feature/new-detection-rule

Rule Review Process:

bash
# Validate before commit
sigma check rules/windows/process_creation/*.yml

# Test conversion to target SIEM
sigma convert -t splunk rules/windows/process_creation/new_rule.yml

# Check for duplicates
grep -r "title:" rules/ | grep "Suspicious PowerShell"

Integration Examples

CI/CD Pipeline

GitHub Actions Workflow:

yaml
name: Sigma Rule Validation
on: [push, pull_request]

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      - name: Setup Python
        uses: actions/setup-python@v2
        with:
          python-version: '3.9'
          
      - name: Install Sigma
        run: pip install sigma-cli
        
      - name: Validate Rules
        run: |
          find rules/ -name "*.yml" -exec sigma check {} \;
          
      - name: Test Conversions
        run: |
          sigma convert -t splunk rules/windows/process_creation/*.yml
          sigma convert -t elasticsearch rules/linux/process_creation/*.yml

SIEM Integration

Splunk Integration:

bash
#!/bin/bash
# deploy-to-splunk.sh

RULES_DIR="rules/windows"
SPLUNK_CONFIG="configs/splunk-windows.yml"
OUTPUT_DIR="splunk_searches"

# Convert rules to Splunk
for rule in $RULES_DIR/*.yml; do
    rule_name=$(basename "$rule" .yml)
    sigma convert -t splunk -c $SPLUNK_CONFIG "$rule" > "$OUTPUT_DIR/${rule_name}.spl"
done

# Deploy to Splunk via REST API
for search in $OUTPUT_DIR/*.spl; do
    search_name=$(basename "$search" .spl)
    curl -k -u admin:password \
         -d "name=$search_name" \
         -d "search=$(cat $search)" \
         https://splunk:8089/services/saved/searches
done

Elasticsearch Integration:

python
import os
import yaml
from elasticsearch import Elasticsearch
from sigma.cli.convert import convert_rule

def deploy_sigma_rules_to_elasticsearch():
    """Deploy Sigma rules as Elasticsearch Watcher alerts"""
    es = Elasticsearch(['localhost:9200'])
    
    rules_dir = 'rules/linux'
    for rule_file in os.listdir(rules_dir):
        if rule_file.endswith('.yml'):
            rule_path = os.path.join(rules_dir, rule_file)
            
            # Convert Sigma rule to Elasticsearch query
            es_query = convert_rule(rule_path, 'elasticsearch')
            
            # Create Watcher alert
            with open(rule_path, 'r') as f:
                rule_data = yaml.safe_load(f)
            
            watcher_config = {
                "trigger": {
                    "schedule": {"interval": "5m"}
                },
                "input": {
                    "search": {
                        "request": {
                            "search_type": "query_then_fetch",
                            "indices": ["logs-*"],
                            "body": {
                                "query": es_query
                            }
                        }
                    }
                },
                "condition": {
                    "compare": {
                        "ctx.payload.hits.total": {"gt": 0}
                    }
                },
                "actions": {
                    "log_alert": {
                        "logging": {
                            "text": f"Sigma rule triggered: {rule_data['title']}"
                        }
                    }
                }
            }
            
            # Deploy to Elasticsearch
            rule_id = rule_data['id']
            es.watcher.put_watch(id=rule_id, body=watcher_config)

Advanced Features

Aggregation Rules

Count-based Detection:

yaml
title: Multiple Failed Logons
logsource:
    category: authentication
    product: windows
detection:
    selection:
        EventID: 4625
        TargetUserName: '*'
    condition: selection | count(TargetUserName) by SourceNetworkAddress > 5
timeframe: 5m
level: medium

Statistical Analysis:

yaml
title: Unusual Process Execution Volume
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
    condition: selection | count() by Computer > avg(count()) * 3
timeframe: 1h
level: medium

Correlation Rules

Multi-stage Attack Detection:

yaml
title: Credential Dumping Followed by Lateral Movement
logsource:
    category: process_creation
    product: windows
detection:
    stage1:
        Image|endswith: '\mimikatz.exe'
        CommandLine|contains: 'sekurlsa::logonpasswords'
    stage2:
        Image|endswith: '\psexec.exe'
        CommandLine|contains: '\\\\*'
    condition: stage1 followed by stage2
timeframe: 30m
level: high

Custom Functions

Custom Detection Logic:

yaml
title: Entropy-based Suspicious String Detection
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine: '*'
    condition: selection | entropy(CommandLine) > 6.5
level: medium

Troubleshooting

Common Issues

Rule Validation Errors:

bash
# Check YAML syntax
python -c "import yaml; yaml.safe_load(open('rule.yml'))"

# Validate Sigma rule structure
sigma check rule.yml -v

# Check field mappings
sigma convert -t splunk rule.yml --debug

Conversion Problems:

bash
# List available backends
sigma list backends

# Check backend configuration
sigma list modifiers -t splunk

# Test with minimal rule
sigma convert -t splunk -e 'detection: {selection: {EventID: 1}, condition: selection}'

Performance Issues:

bash
# Profile rule conversion
time sigma convert -t splunk rules/*.yml

# Check rule complexity
grep -c "condition:" rule.yml
grep -c "|" rule.yml  # Count modifiers

# Optimize rule structure
sigma convert -t splunk rule.yml --optimize

Debugging

Debug Mode:

bash
# Enable debug logging
sigma convert -t splunk rule.yml --debug

# Verbose output
sigma convert -t splunk rule.yml -v

# Dry run mode
sigma convert -t splunk rule.yml --dry-run

Rule Analysis:

bash
# Analyze rule coverage
sigma analyze rules/ --coverage

# Check for duplicates
sigma analyze rules/ --duplicates

# Performance analysis
sigma analyze rules/ --performance

This comprehensive Sigma cheatsheet covers rule development, conversion, deployment, and advanced features for effective threat detection across multiple SIEM platforms.