SigmaOptimizer Cheatsheet

SigmaOptimizer Cheatsheet

Overview

SigmaOptimizer is an open-source tool developed by NTT DATA that leverages Large Language Models (LLMs) to automate the creation, validation, and optimization of Sigma rules. It was showcased at the Black Hat USA 2025 Arsenal.

Key Features

• LLM-Powered Rule Generation: Uses natural language descriptions to generate Sigma rules.
• Automated Validation: Validates generated rules against real log data to ensure accuracy.
• Rule Optimization: Optimizes existing Sigma rules for better performance and fewer false positives.
• Open-Source: Freely available for use and modification.
• Integration: Designed to work with existing SIEM and security workflows.

How It Works

1. Input: Provide a natural language description of the threat you want to detect (e.g., "a user accessing a sensitive file outside of business hours").
2. LLM Generation: SigmaOptimizer sends the description to an LLM, which generates a corresponding Sigma rule.
3. Validation: The generated rule is tested against a provided set of log data to verify its correctness.
4. Optimization: The rule is then optimized for performance and accuracy.
5. Output: A ready-to-use, optimized Sigma rule.

Installation

# (Note: Specific installation instructions will be available in the official repository)

# Example installation (replace with actual commands)
git clone https://github.com/nttdata-security/sigma-optimizer.git
cd sigma-optimizer
pip install -r requirements.txt

Usage

# Example usage (replace with actual commands)

# Generate a new rule from a description
python sigma-optimizer.py generate --description "Detects a user downloading an unusually large amount of data"

# Optimize an existing rule
python sigma-optimizer.py optimize --rule-file /path/to/your/rule.yml

# Validate a rule against log data
python sigma-optimizer.py validate --rule-file /path/to/your/rule.yml --log-file /path/to/your/logs.json

Configuration

You will need to configure SigmaOptimizer with your LLM API key and specify the model you want to use.

# config.yml (example)
llm:
  provider: openai
  api_key: "YOUR_API_KEY"
  model: "gpt-4"

Common Use Cases

• Rapid Rule Creation: Quickly create new Sigma rules for emerging threats.
• Rule Maintenance: Automate the process of optimizing and validating your existing rule set.
• Threat Hunting: Generate ad-hoc rules for threat hunting expeditions.
• Security Operations: Improve the efficiency and effectiveness of your security operations team.

Additional Resources

• NTT DATA Press Release
• (Link to official GitHub repository will be here when available)