Sigma Rule Structure
Overview
The following section gives you overview of Sigma. What Sigma is and what it specifically does.
What is Sigma
Sigma is the YAML-based generic signature format for writing detection rules for logs. Think of it like the "Sigma = YARA for logs".
Created to be platform-agnostic.
Translates into SIEM-specific queries (like Splunk SPL, KQL, Elastic DSL).
Makes detection-as-code portable, version-controlled, and scalable.
Sigma Rule Structure
Key Sections
title
Human-friendly name of the rule
id
Unique rule ID (UUID)
status
stable
, experimental
, deprecated
logsource
Where the rule applies (e.g., Windows, Linux, category like process_creation
)
detection
The detection logic
fields
Fields to show in alert
falsepositives
Known benign triggers
level
Severity (low
, medium
, high
, critical
)
tags
MITRE ATT&CK mappings (other other key tags based on your organization)
Sigma Documentation
Rules Repository
Last updated