Sigma vs TheHive
GitHub Stats
About Sigma
Sigma is a generic and open signature format for SIEM systems, analogous to what YARA is for files and Snort is for network traffic. Sigma rules describe log events in a YAML-based format that is independent of any specific SIEM product. Using the sigma-cli converter (pySigma), rules can be translated into native query languages for Splunk (SPL), Elasticsearch (Lucene/KQL), Microsoft Sentinel, QRadar, CrowdStrike, Carbon Black, Grep, and over 30 other backends. The Sigma rule repository contains thousands of community-contributed detection rules covering MITRE ATT&CK techniques, common malware behaviors, lateral movement, persistence mechanisms, and suspicious system activity. Security teams use Sigma to write detection logic once and deploy it across their entire detection infrastructure, regardless of which SIEM products they use. The format is maintained by the SigmaHQ project and has become the de facto standard for shareable detection rules.
About TheHive
TheHive is a scalable, open-source Security Incident Response Platform (SIRP) designed to make life easier for SOCs, CSIRTs, and CERTs dealing with security incidents that need to be investigated and acted upon. It provides collaborative case management where multiple analysts can work on the same case simultaneously, with full audit trails and task assignment. TheHive integrates tightly with Cortex for automated observable analysis (IP lookups, hash checks, domain reputation) and with MISP for threat intelligence sharing. Cases can be created from email alerts, SIEM events, or manually, and each case supports tasks, observables, and evidence attachments. Its template system and custom fields make it adaptable to any organization's incident response workflow.
Platform Support
Tags
Sigma only
TheHive only