CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →The problem of proprietary SIEM rules
Every SIEM speaks a different language: Splunk SPL, Elastic DSL, IBM QRadar AQL, Microsoft Sentinel KQL, Google Chronicle YARA-L. Detection rules written for one vendor are not portable, and the detection engineering community ends up rewriting the same logic multiple times.
In 2017 Florian Roth (Nextron Systems) and Thomas Patzke publish Sigma: a generic YAML format to describe detection rules, with translation backends targeting the search engines of commercial SIEMs.
The first public GitHub releases date from July 2017. The project is distributed under MIT licence for the code and Detection Rule License (DRL) 1.1 for the rules, ensuring free redistribution also in commercial contexts.
Rule structure
A Sigma rule has defined sections:
- title, id (UUID), status (experimental/test/stable), description
- references, author, date, modified
- logsource — standardised category (e.g.
product: windows,service: security,category: process_creation) - detection — selection with logical fields (
selection,filter,condition) - fields, falsepositives, level (informational/low/medium/high/critical)
- tags — typically MITRE ATT&CK mapping (
attack.t1055,attack.defense_evasion)
Matching logic is declarative: the backend translates selection and condition into the native syntax of the target SIEM.
The converter: sigmac and pySigma
The original tool sigmac (Python) reads a YAML rule and produces queries for the specified backend:
sigmac -t splunk -c splunk-windows rule.ymlSince 2021 the project introduces pySigma, a modern library with backend plugins (Splunk, Elastic, QRadar, Sentinel, Chronicle, Carbon Black, CrowdStrike), processing pipelines and custom field-mapping support.
SigmaHQ and community repository
The main repository SigmaHQ/sigma on GitHub contains thousands of curated public rules, organised by logsource (Windows, Linux, macOS, cloud, network, application). Every rule includes quality metadata, risk level, public references (blog posts, threat reports).
The SigmaHQ organisation coordinates maintenance, review and releases.
Logsource taxonomy
The logsource taxonomy is the contract between rule author and implementer: it defines normalised field names (e.g. Image, CommandLine, ParentImage for Sysmon event 1). pySigma pipelines translate these fields into the actual names used by the target SIEM (e.g. process.executable in ECS, New_Process_Name in native EventLog).
ATT&CK integration
Sigma was among the first detection engineering projects to systematically map every rule to MITRE ATT&CK techniques. This enables measurable coverage: given a rule set, it is possible to calculate which techniques are covered and which are not (ATT&CK Navigator layer).
Adoption and tooling
- Elastic, Splunk, Microsoft Sentinel, Chronicle — official support or via community plugins
- Uncoder.io (SOC Prime) — multi-backend online converter
- ThreatHunter Playbook, HELK, Security Onion — preloaded Sigma rules
- CI/CD for detection as code — test, linting, rule packaging in pipelines
In the Italian context
Sigma is used in:
- National and regional CSIRTs — rule sharing without SIEM lock-in
- Italian MSSPs — multi-tenant detection catalogues
- Companies migrating SIEM — rule migration without rewriting
- Universities — detection engineering teaching
Sigma has enabled a SIEM-agnostic detection content ecosystem, aligned with ATT&CK and manageable as code.
References: Sigma, authors Florian Roth and Thomas Patzke, first public releases 2017. SigmaHQ organisation. MIT licence (code) + DRL 1.1 (rules). Backends: Splunk SPL, Elastic DSL, QRadar AQL, Sentinel KQL, Chronicle YARA-L. Site: https://sigmahq.io.