Sigma
๐ง Threat Intelligence ยท Python/YAML
Sigma is a generic and open signature format for SIEM systems, analogous to what YARA is for files and Snort is for network traffic. Sigma rules describe log events in a YAML-based format that is independent of any specific SIEM product. Using the sigma-cli converter (pySigma), rules can be translated into native query languages for Splunk (SPL), Elasticsearch (Lucene/KQL), Microsoft Sentinel, QRadar, CrowdStrike, Carbon Black, Grep, and over 30 other backends. The Sigma rule repository contains thousands of community-contributed detection rules covering MITRE ATT&CK techniques, common malware behaviors, lateral movement, persistence mechanisms, and suspicious system activity. Security teams use Sigma to write detection logic once and deploy it across their entire detection infrastructure, regardless of which SIEM products they use. The format is maintained by the SigmaHQ project and has become the de facto standard for shareable detection rules.
Installation
pip
$ pip install sigma-clifrom source
$ git clone https://github.com/SigmaHQ/sigma.gitUse Cases
- Writing portable detection rules that work across multiple SIEM platforms
- Converting community detection rules to Splunk SPL or Elasticsearch queries
- Building a detection library aligned with MITRE ATT&CK techniques
- Sharing detection logic between security teams using different SIEM products
- Testing and validating detection coverage against known attack patterns
Tags
Details
- Category
- ๐ง Threat Intelligence
- Language
- Python/YAML
- Repository
- SigmaHQ/sigma
- Platforms
- ๐งlinux๐macos๐ชwindows
Links
Alternatives & Comparisons
YARA
CPattern matching swiss knife for malware researchers. Create rules to identify and classify malware samples.
Compare Sigma vs YARAMISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
Compare Sigma vs MISPOpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
Compare Sigma vs OpenCTITheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
Compare Sigma vs TheHiveGRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
Compare Sigma vs GRR Rapid ResponseKAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Compare Sigma vs KAPECortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.
Compare Sigma vs CortexSuricata
C/RustHigh-performance IDS/IPS and network monitoring engine. Multi-threaded with Snort-compatible rules and protocol logging.
Compare Sigma vs SuricataMore in Threat Intelligence
MISP
PHP/PythonOpen-source threat intelligence and sharing platform. Structured IOC management, feeds, correlation, and STIX/TAXII export.
OpenCTI
TypeScript/PythonCyber threat intelligence platform. Knowledge management for threat data with STIX2 native storage and graph visualization.
TheHive
Scala/JavaScriptIncident response case management platform. Collaborative investigation with observable analysis, playbooks, and MISP integration.
GRR Rapid Response
PythonRemote live forensics framework by Google. Deploy agents across thousands of endpoints for artifact collection and analysis.
KAPE
C#Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.
Cortex
Scala/PythonObservable analysis and active response engine. Analyze IOCs at scale with 100+ analyzers for IPs, hashes, URLs, and domains.