Welcome to the Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.

Currently the repository offers three types of rules:

• Generic Detection Rules - Are threat agnostic, their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.
• Threat Hunting Rules - Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity
• Emerging Threat Rules - Are rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.
• Compliance Rules - Are rules that help you identify compliance violations based on well known security frameworks such as CIS Controls, NIST, ISO 27001,...etc.
• Placeholder Rules - Are rules that get their final meaning at conversion or usage time of the rule.

To start exploring the Sigma ecosystem, please visit the official website sigmahq.io

Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.

The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.

Sigma is for log files what Snort is for network traffic and YARA is for files.

Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others.

Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone.

• A continuously growing list of detection and hunting rules, peer reviewed by a community of professional Detection Engineers.
• Vendor agnostic detection rules.
• Easily shareable across communities and reports

To start writing Sigma rules please check the following getting started guide along with the sigma specification:

• Getting Started Guide
• Sigma Specification

Please refer to the CONTRIBUTING guide for detailed instructions on how you can start contributing new rules.

You can download the latest rule packages from the release page and start leveraging Sigma rules today. New rules are also released on a regular basis, so check back often for the latest detections.

• You can start converting Sigma rules today using:

  • Sigma CLI - the official command-line converter
  • sigconverter.io - web-based GUI converter
  • Detection Studio - web-based GUI converter

• To integrate Sigma rules in your own toolchain or products use pySigma.

If you find a false positive or would like to propose a new detection rule idea but do not have the time to create one, please create a new issue on the GitHub repository by selecting one of the available templates.

Join the Sigma community on Discord to discuss detection engineering, ask questions, share ideas, and collaborate with other practitioners. We also use Discord for announcements such as new releases and other project updates.

• sigmahq.io - Official Sigma website
• SigmaHQ Blog - Official blog covering detection engineering, rule releases, and Sigma updates
• Phoenix - Sigma Rule Intelligence Platform - Search, analyze, and understand Sigma rules mapped to MITRE ATT&CK

• Hack.lu 2017 Sigma - Generic Signatures for Log Events by Thomas Patzke
• Sigma - Generic Signatures for SIEM Systems by Florian Roth
• 50 Shades of Sigma by Florian Roth
• Introducing Sigma Specification v2.0 by Nasreddine Bencherchali
• SIGMA-Resources - Curated list of resources to learn and understand Sigma rules
• The Ultimate Guide to Sigma Rules by Graylog
• Introduction to Sigma Rules by Intezer

• AlphaSOC - Leverages Sigma rules to increase coverage across all supported log sources
• alterix - Converts Sigma rules to the query language of CRYPTTECH's SIEM
• AttackIQ - Sigma Rules integrated in AttackIQ's platform, and SigmAIQ for Sigma rule conversion and LLM apps
• Atomic Threat Coverage - Automatically maps Sigma rules to MITRE ATT&CK techniques, Atomic Red Team tests, and incident response playbooks (since December 2018)
• ATR (Agent Threat Rules) - Open MIT-licensed detection rule format for AI agent security threats (prompt injection, tool poisoning, context exfiltration). Reference CLI exports ATR rules to Sigma format via atr convert sigma.
• AttackRuleMap - Maps Atomic Red Team attack simulations to open-source Sigma detection rules for coverage assessment
• Confluent Sigma - Kafka Streams supported Sigma rules
• Detection Studio - Convert Sigma rules to any supported SIEM
• Exeon.UEBA - User and Entity Behavior Analytics (UEBA) solution from Exeon which provides a built-in Sigma detection engine
• IBM QRadar - Natively ingests Sigma rules for real-time detection via the YARA and Sigma Rules Manager app
• Joe Sandbox - Automated malware analysis platform that applies Sigma rules during sandbox execution to detect threats in behavioral logs
• LimaCharlie - SecOps cloud platform with native Sigma rule support and automatic conversion to its Detection & Response rule format
• MISP - Open-source threat intelligence sharing platform with native Sigma rule support (since version 2.4.70, March 2017)
• Nextron's Aurora Agent - Lightweight Sigma-based EDR agent using ETW for real-time endpoint detection
• Nextron's THOR Scanner - Scan with Sigma rules on endpoints
• RANK VASA - AI-based network threat detection platform that uses Sigma rules to identify security anomalies for MSSPs
• Saeros - Open-source HIDS for Windows and Active Directory with local Sigma rule matching via ETW
• Security Onion - Open-source network security monitoring platform with built-in Sigma detection and automatic daily rule updates
• Sekoia.io XDR - XDR supporting Sigma and Sigma Correlation rules languages
• sigma2stix - Converts the entire SigmaHQ Ruleset into STIX 2.1 Objects
• SIΣGMA - SIEM consumable generator that utilizes Sigma for query conversion
• SOC Prime - Threat detection marketplace hosting community Sigma rules with translation to 25+ SIEM, EDR, and XDR platforms
• TA-Sigma-Searches - Splunk app providing saved searches derived from converted Sigma rules
• TimeSketch - Open-source collaborative forensic timeline analysis tool that uses Sigma rules to tag and detect events
• VirusTotal - Whenever a sample matches any open-source Sigma rules, the matching rules are displayed as part of the file report
• ypsilon - Automated Use Case Testing

• Nasreddine Bencherchali (@nas_bench)
• Florian Roth (@cyb3rops)
• Christian Burkard (@phantinuss)
• François Hubaut (@frack113)
• Thomas Patzke (@blubbfiction)
• Mohamed Ashraf (@X__Junior)
• Swachchhanda Shrawan Poudel (@_swachchhanda_)

This project would've never reached this height without the help of the hundreds of contributors. Thanks to all past and present contributors for their help.

The content of this repository is released under the Detection Rule License (DRL) 1.1.