Cyber Security Academy · Lesson

Writing Sigma Rules

Portable detection rule syntax.

What Sigma Is

Sigma is a generic, vendor-neutral signature format for log-based detections. You write the detection logic once in YAML, then convert it to Splunk SPL, Elastic queries, Sentinel KQL, and many other backends.

Sigma is to log detection what YARA is to file detection: a portable lingua franca. It lets teams share rules publicly and avoid rewriting the same idea per SIEM.

Anatomy of a Rule

A Sigma rule is a YAML document with required and optional sections. The essentials are title, logsource, and detection.

title: Suspicious PowerShell Encoded Command
id: 7e3f3c1a-1f2b-4c3d-9a8b-1234567890ab
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\\powershell.exe'
    CommandLine|contains: '-enc'
  condition: selection
level: high

All lessons in this course

Detection-as-Code Principles
Writing Sigma Rules
Mapping to MITRE ATT&CK
Testing and Tuning Detections

← Back to Cyber Security Academy