Appearance
Sigma Cheatsheet
Sigma is a generic and open signature format that allows you to describe log events in a straightforward manner. It enables security analysts to write detection rules once and convert them to various SIEM formats, making threat detection portable across different security platforms.
Installation and Setup
Python Installation
Install Sigma Tools:
bash
# Install via pip
pip install sigma-cli
# Install with all dependencies
pip install sigma-cli[all]
# Install development version
pip install git+https://github.com/SigmaHQ/sigma.git
# Verify installation
sigma --version
Install from Source:
bash
# Clone repository
git clone https://github.com/SigmaHQ/sigma.git
cd sigma
# Install in development mode
pip install -e .
# Install with optional dependencies
pip install -e .[test,dev]
Docker Installation
Docker Setup:
bash
# Pull Sigma Docker image
docker pull sigmahq/sigma
# Run Sigma in container
docker run --rm -v $(pwd):/data sigmahq/sigma convert -t splunk /data/rules/
# Create alias for convenience
alias sigma='docker run --rm -v $(pwd):/data sigmahq/sigma'
Sigma Rule Structure
Basic Rule Format
Standard Sigma Rule:
yaml
title: Suspicious PowerShell Execution
id: 12345678-1234-1234-1234-123456789012
status: experimental
description: Detects suspicious PowerShell command execution
author: Security Team
date: 2023/01/15
modified: 2023/01/20
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '-EncodedCommand'
- '-WindowStyle Hidden'
- 'DownloadString'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: medium
Rule Components
Metadata Fields:
yaml
# Required fields
title: "Rule Title"
id: "unique-uuid-here"
status: experimental|test|stable
description: "Detailed description"
# Optional metadata
author: "Author Name"
date: 2023/01/15
modified: 2023/01/20
references:
- https://attack.mitre.org/techniques/T1059/001/
tags:
- attack.execution
- attack.t1059.001
level: low|medium|high|critical
Log Source Definition:
yaml
logsource:
category: process_creation
product: windows
service: sysmon
definition: "Sysmon Event ID 1"
Detection Logic:
yaml
detection:
selection1:
EventID: 1
Image|endswith: '\cmd.exe'
selection2:
CommandLine|contains:
- 'whoami'
- 'net user'
condition: selection1 and selection2
Detection Patterns
Selection Patterns
Basic Selection:
yaml
detection:
selection:
EventID: 4624
LogonType: 3
TargetUserName: 'administrator'
condition: selection
Multiple Selections:
yaml
detection:
sel_process:
Image|endswith: '\powershell.exe'
sel_command:
CommandLine|contains:
- 'Invoke-Expression'
- 'IEX'
condition: sel_process and sel_command
Keyword Lists:
yaml
detection:
keywords:
- 'mimikatz'
- 'sekurlsa'
- 'kerberos'
condition: keywords
Field Modifiers
String Modifiers:
yaml
detection:
selection:
# Contains substring
CommandLine|contains: 'malware'
# Starts with
Image|startswith: 'C:\Temp\'
# Ends with
FileName|endswith: '.exe'
# Case insensitive
ProcessName|contains|all:
- 'cmd'
- 'powershell'
# Regular expression
CommandLine|re: '.*\.(exe|bat|cmd)$'
# Base64 encoded
CommandLine|base64offset|contains: 'powershell'
Numeric Modifiers:
yaml
detection:
selection:
# Less than
ProcessId|lt: 1000
# Greater than
FileSize|gt: 1048576
# Greater than or equal
EventID|gte: 4624
# Less than or equal
LogonType|lte: 10
Advanced Conditions
Complex Logic:
yaml
detection:
sel_suspicious_process:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
sel_suspicious_args:
CommandLine|contains:
- '-EncodedCommand'
- 'DownloadString'
sel_network:
DestinationPort:
- 80
- 443
condition: sel_suspicious_process and sel_suspicious_args and sel_network
Aggregation Conditions:
yaml
detection:
selection:
EventID: 4625
TargetUserName: '*'
condition: selection | count(TargetUserName) by SourceNetworkAddress > 10
Time-based Conditions:
yaml
detection:
selection:
EventID: 4624
LogonType: 3
condition: selection | count() by TargetUserName > 5 | timeframe 5m
Rule Categories
Process Creation Rules
Suspicious Process Execution:
yaml
title: Suspicious Process in Temp Directory
logsource:
category: process_creation
product: windows
detection:
selection:
Image|startswith:
- 'C:\Temp\'
- 'C:\Users\*\AppData\Local\Temp\'
Image|endswith: '.exe'
condition: selection
level: medium
Command Line Analysis:
yaml
title: Encoded PowerShell Command
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: '-EncodedCommand'
condition: selection
level: high
Network Connection Rules
Suspicious Outbound Connections:
yaml
title: Connection to Suspicious Domain
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- '.tk'
- '.ml'
- '.ga'
condition: selection
level: medium
File System Rules
Suspicious File Creation:
yaml
title: Executable in Startup Folder
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Startup\'
TargetFilename|endswith: '.exe'
condition: selection
level: high
Registry Rules
Registry Persistence:
yaml
title: Registry Run Key Modification
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\'
condition: selection
level: medium
Conversion and Deployment
Convert Rules to SIEM Formats
Splunk Conversion:
bash
# Convert single rule
sigma convert -t splunk rule.yml
# Convert multiple rules
sigma convert -t splunk rules/*.yml
# Convert with custom config
sigma convert -t splunk -c splunk-windows.yml rule.yml
# Output to file
sigma convert -t splunk rule.yml -o splunk_query.txt
Elastic/ECS Conversion:
bash
# Convert to Elasticsearch Query DSL
sigma convert -t elasticsearch rule.yml
# Convert to ECS format
sigma convert -t elasticsearch -c ecs-cloudtrail.yml rule.yml
# Convert to Kibana
sigma convert -t kibana rule.yml
QRadar Conversion:
bash
# Convert to QRadar AQL
sigma convert -t qradar rule.yml
# Convert with field mapping
sigma convert -t qradar -c qradar-fields.yml rule.yml
Microsoft Sentinel Conversion:
bash
# Convert to KQL
sigma convert -t microsoft365defender rule.yml
# Convert to Azure Sentinel
sigma convert -t azure-sentinel rule.yml
Backend Configurations
Custom Backend Config:
yaml
# splunk-custom.yml
title: Custom Splunk Configuration
order: 20
backends:
- splunk
logsources:
windows:
category: process_creation
conditions:
EventID: 1
rewrite:
product: windows
service: sysmon
fieldmappings:
Image: process_name
CommandLine: process_command_line
ProcessId: process_id
Field Mapping:
yaml
# field-mapping.yml
title: Custom Field Mapping
fieldmappings:
# Windows Security Events
EventID: event_id
TargetUserName: user_name
SourceNetworkAddress: src_ip
DestinationPort: dest_port
# Sysmon Events
Image: process_path
CommandLine: command_line
ProcessId: pid
ParentProcessId: ppid
Rule Development
Testing Rules
Rule Validation:
bash
# Validate rule syntax
sigma check rule.yml
# Validate multiple rules
sigma check rules/*.yml
# Check with specific backend
sigma check -t splunk rule.yml
# Verbose validation
sigma check -v rule.yml
Rule Testing:
bash
# Test conversion
sigma convert -t splunk rule.yml --dry-run
# Test with sample data
sigma test rule.yml --data sample_logs.json
# Debug rule logic
sigma convert -t splunk rule.yml --debug
Rule Optimization
Performance Optimization:
yaml
# Use specific field matches instead of wildcards
detection:
selection:
# Good - specific match
EventID: 4624
LogonType: 3
# Avoid - too broad
# EventData|contains: 'logon'
condition: selection
Reduce False Positives:
yaml
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: 'DownloadString'
filter:
User|contains: 'SYSTEM'
ParentImage|endswith: '\services.exe'
condition: selection and not filter
Rule Management
Rule Collections
Organize Rules by Category:
bash
rules/
├── windows/
│ ├── process_creation/
│ ├── network_connection/
│ ├── file_event/
│ └── registry_event/
├── linux/
│ ├── process_creation/
│ └── network_connection/
└── cloud/
├── aws/
├── azure/
└── gcp/
Rule Metadata Management:
yaml
# Use consistent tagging
tags:
- attack.execution
- attack.t1059.001
- detection.emerging_threats
- platform.windows
- data_source.process_monitoring
Version Control
Git Workflow:
bash
# Create feature branch for new rule
git checkout -b feature/new-detection-rule
# Add rule file
git add rules/windows/process_creation/suspicious_powershell.yml
# Commit with descriptive message
git commit -m "Add detection for suspicious PowerShell execution"
# Push and create pull request
git push origin feature/new-detection-rule
Rule Review Process:
bash
# Validate before commit
sigma check rules/windows/process_creation/*.yml
# Test conversion to target SIEM
sigma convert -t splunk rules/windows/process_creation/new_rule.yml
# Check for duplicates
grep -r "title:" rules/ | grep "Suspicious PowerShell"
Integration Examples
CI/CD Pipeline
GitHub Actions Workflow:
yaml
name: Sigma Rule Validation
on: [push, pull_request]
jobs:
validate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: '3.9'
- name: Install Sigma
run: pip install sigma-cli
- name: Validate Rules
run: |
find rules/ -name "*.yml" -exec sigma check {} \;
- name: Test Conversions
run: |
sigma convert -t splunk rules/windows/process_creation/*.yml
sigma convert -t elasticsearch rules/linux/process_creation/*.yml
SIEM Integration
Splunk Integration:
bash
#!/bin/bash
# deploy-to-splunk.sh
RULES_DIR="rules/windows"
SPLUNK_CONFIG="configs/splunk-windows.yml"
OUTPUT_DIR="splunk_searches"
# Convert rules to Splunk
for rule in $RULES_DIR/*.yml; do
rule_name=$(basename "$rule" .yml)
sigma convert -t splunk -c $SPLUNK_CONFIG "$rule" > "$OUTPUT_DIR/${rule_name}.spl"
done
# Deploy to Splunk via REST API
for search in $OUTPUT_DIR/*.spl; do
search_name=$(basename "$search" .spl)
curl -k -u admin:password \
-d "name=$search_name" \
-d "search=$(cat $search)" \
https://splunk:8089/services/saved/searches
done
Elasticsearch Integration:
python
import os
import yaml
from elasticsearch import Elasticsearch
from sigma.cli.convert import convert_rule
def deploy_sigma_rules_to_elasticsearch():
"""Deploy Sigma rules as Elasticsearch Watcher alerts"""
es = Elasticsearch(['localhost:9200'])
rules_dir = 'rules/linux'
for rule_file in os.listdir(rules_dir):
if rule_file.endswith('.yml'):
rule_path = os.path.join(rules_dir, rule_file)
# Convert Sigma rule to Elasticsearch query
es_query = convert_rule(rule_path, 'elasticsearch')
# Create Watcher alert
with open(rule_path, 'r') as f:
rule_data = yaml.safe_load(f)
watcher_config = {
"trigger": {
"schedule": {"interval": "5m"}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": ["logs-*"],
"body": {
"query": es_query
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {"gt": 0}
}
},
"actions": {
"log_alert": {
"logging": {
"text": f"Sigma rule triggered: {rule_data['title']}"
}
}
}
}
# Deploy to Elasticsearch
rule_id = rule_data['id']
es.watcher.put_watch(id=rule_id, body=watcher_config)
Advanced Features
Aggregation Rules
Count-based Detection:
yaml
title: Multiple Failed Logons
logsource:
category: authentication
product: windows
detection:
selection:
EventID: 4625
TargetUserName: '*'
condition: selection | count(TargetUserName) by SourceNetworkAddress > 5
timeframe: 5m
level: medium
Statistical Analysis:
yaml
title: Unusual Process Execution Volume
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
condition: selection | count() by Computer > avg(count()) * 3
timeframe: 1h
level: medium
Correlation Rules
Multi-stage Attack Detection:
yaml
title: Credential Dumping Followed by Lateral Movement
logsource:
category: process_creation
product: windows
detection:
stage1:
Image|endswith: '\mimikatz.exe'
CommandLine|contains: 'sekurlsa::logonpasswords'
stage2:
Image|endswith: '\psexec.exe'
CommandLine|contains: '\\\\*'
condition: stage1 followed by stage2
timeframe: 30m
level: high
Custom Functions
Custom Detection Logic:
yaml
title: Entropy-based Suspicious String Detection
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine: '*'
condition: selection | entropy(CommandLine) > 6.5
level: medium
Troubleshooting
Common Issues
Rule Validation Errors:
bash
# Check YAML syntax
python -c "import yaml; yaml.safe_load(open('rule.yml'))"
# Validate Sigma rule structure
sigma check rule.yml -v
# Check field mappings
sigma convert -t splunk rule.yml --debug
Conversion Problems:
bash
# List available backends
sigma list backends
# Check backend configuration
sigma list modifiers -t splunk
# Test with minimal rule
sigma convert -t splunk -e 'detection: {selection: {EventID: 1}, condition: selection}'
Performance Issues:
bash
# Profile rule conversion
time sigma convert -t splunk rules/*.yml
# Check rule complexity
grep -c "condition:" rule.yml
grep -c "|" rule.yml # Count modifiers
# Optimize rule structure
sigma convert -t splunk rule.yml --optimize
Debugging
Debug Mode:
bash
# Enable debug logging
sigma convert -t splunk rule.yml --debug
# Verbose output
sigma convert -t splunk rule.yml -v
# Dry run mode
sigma convert -t splunk rule.yml --dry-run
Rule Analysis:
bash
# Analyze rule coverage
sigma analyze rules/ --coverage
# Check for duplicates
sigma analyze rules/ --duplicates
# Performance analysis
sigma analyze rules/ --performance
This comprehensive Sigma cheatsheet covers rule development, conversion, deployment, and advanced features for effective threat detection across multiple SIEM platforms.