Convert Figma logo to code with AI

SigmaHQ logosigma

Main Sigma Rule Repository

8,256
2,179
8,256
39
View on GitHub

Top Related Projects

SigmaHQ's avatar

sigma

8,252

Main Sigma Rule Repository

elastic's avatar

detection-rules

1,921

Quick Overview

Sigma is an open-source generic and extensible signature format for describing log events. It allows for the creation of portable detection rules that can be converted into various SIEM and log management system query languages. Sigma aims to standardize the way security analysts describe and share detection methods across different platforms.

Pros

  • Platform-agnostic: Sigma rules can be converted to multiple target formats, making them highly portable across different security tools.
  • Community-driven: A large collection of pre-written rules is available, with contributions from security experts worldwide.
  • Extensible: The format can be easily extended to support new log types and target systems.
  • Simplifies threat hunting: Enables analysts to quickly create and share detection rules in a standardized format.

Cons

  • Learning curve: Requires understanding of the Sigma syntax and rule structure.
  • Conversion limitations: Some complex rules may not translate perfectly to all target systems.
  • Maintenance: As with any rule-based system, regular updates are needed to keep rules effective and relevant.
  • Tool dependency: Requires additional tools or converters to transform Sigma rules into usable queries for specific platforms.

Code Examples

  1. Basic Sigma rule structure:
title: Suspicious PowerShell Command Line
logsource:
    product: windows
    service: powershell
detection:
    selection:
        CommandLine|contains:
            - '-enc'
            - '-encodedcommand'
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts using encoded commands
level: medium
  1. Sigma rule with multiple detection conditions:
title: Potential Credential Dumping
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ObjectName|contains: 'lsass.exe'
    filter:
        ProcessName|endswith: 'svchost.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative activities
level: high
  1. Sigma rule using aggregation:
title: Multiple Failed Logins from Single Source
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4625
    timeframe: 5m
    condition: selection | count() by src_ip > 10
falsepositives:
    - Misconfigured applications
    - Password spraying by security tools
level: medium

Getting Started

To start using Sigma:

  1. Clone the repository:

    git clone https://github.com/SigmaHQ/sigma.git

  2. Install a Sigma converter tool (e.g., sigmac):

    pip install sigmatools

  3. Write or use existing Sigma rules (stored as YAML files).

  4. Convert a rule to your target format (e.g., Elasticsearch):

    sigmac -t elasticsearch -c tools/config/generic/sysmon.yml /path/to/rule.yml

  5. Apply the generated query in your SIEM or log management system.

Competitor Comparisons

SigmaHQ logo

sigma

8,252

Main Sigma Rule Repository

Pros of sigma

  • More comprehensive and actively maintained repository
  • Larger community and contributor base
  • Extensive documentation and examples

Cons of sigma

  • Potentially more complex for beginners
  • May include features not needed by all users

Code comparison

sigma:

title: Suspicious Process Creation
status: experimental
description: Detects suspicious process creation
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'powershell.exe -nop -w hidden -c'
            - 'cmd.exe /c powershell'
    condition: selection
falsepositives:
    - Legitimate administrative tasks
level: high

sigma>:

title: Example Rule
description: An example rule for demonstration
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\cmd.exe'
    condition: selection
falsepositives:
    - Administrative activities
level: low

Note: The code comparison shows that sigma has more detailed and complex rules, while sigma> provides simpler, more basic rule structures. This aligns with the pros and cons mentioned earlier, where sigma offers more comprehensive features but may be more complex for beginners.

elastic logo

detection-rules

1,921

Pros of detection-rules

  • Specifically designed for Elastic Security, offering seamless integration with Elastic Stack
  • Includes a comprehensive set of pre-built rules for common security use cases
  • Provides a robust testing framework for rule validation

Cons of detection-rules

  • Limited to Elastic Security ecosystem, less versatile for other SIEM platforms
  • Smaller community and fewer contributors compared to Sigma
  • Less flexible in terms of rule format and conversion options

Code Comparison

Sigma rule example:

title: Suspicious Process Creation
detection:
  selection:
    EventID: 1
    Image: '*\cmd.exe'
  condition: selection

detection-rules example:

name: Suspicious Command Execution
type: eql
query: |
  process where process.name : "cmd.exe"
    and not process.parent.name : "explorer.exe"

Both repositories aim to provide detection rules for security monitoring, but they differ in their approach and target platforms. Sigma offers a generic, widely-applicable format for various SIEM systems, while detection-rules focuses on optimizing rules specifically for Elastic Security. The choice between them depends on the user's specific environment and requirements.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Sigma - Generic Signature Format for SIEM Systems


Sigma Logo


Sigma Build Status Sigma Official Badge GitHub Repo stars GitHub all releases
Open Source Security Index - Fastest Growing Open Source Security Projects

Welcome to the Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.

Currently the repository offers three types of rules:

  • Generic Detection Rules - Are threat agnostic, their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.
  • Threat Hunting Rules - Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity
  • Emerging Threat Rules - Are rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.

Explore Sigma

To start exploring the Sigma ecosystem, please visit the official website sigmahq.io

What is Sigma

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.

The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what Snort is for network traffic and YARA is for files.

Sigma Description - A diagram showing Yaml Files (Sigma Rules) moving through a Sigma Convertor, and coming out as many SIEM logos, showing how Sigma rules can be converted to many different available SIEM query languages

Why Sigma

Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.

Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.

🌟 Key Features

  • A continuously growing list of detection and hunting rules, peer reviewed by a community of professional Detection Engineers.
  • Vendor agnostic detection rules.
  • Easily shareable across communities and reports

🏗️ Rule Creation

To start writing Sigma rules please check the following guides:

🔎 Contributing & Making PRs

Please refer to the CONTRIBUTING guide for detailed instructions on how you can start contributing new rules.

📦 Rule Packages

You can download the latest rule packages from the release page and start leveraging Sigma rules today.

🧬 Rule Usage and Conversion

  • You can start converting Sigma rules today using Sigma CLI or sigconverter.io the GUI interface

  • To integrate Sigma rules in your own toolchain or products use pySigma.

🚨 Reporting False Positives or New Rule Ideas

If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the GitHub repository by selecting one of the available templates.

📚 Resources & Further Reading

Projects or Products that use or integrate Sigma rules

📜 Maintainers

Credits

This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.

Licenses

The content of this repository is released under the Detection Rule License (DRL) 1.1.