Sigma Rules

Download 14
Last updated Jan 10, 2026

User Guide

Sigma Overview

Sigma allows you to write detection rules in a format independent of any specific SIEM system, enabling the same rules to be used across various platforms.

Sigma Rule Status Dashboard

Sigma Rule Structure

title: Rule title
id: Unique identifier in UUID format
status: experimental | test | stable
description: Detection description
references:
    - https://referenceURL
author: Author
date: Creation date (YYYY-MM-DD)
modified: Modification date
tags:
    - attack.tactic
    - attack.technique_id
logsource:
    product: windows | linux | macos, etc.
    category: process_creation | file_event, etc.
    service: security | system, etc.
detection:
    selection:
        FieldName: value
    condition: selection
falsepositives:
    - Possible false positive cases
level: informational | low | medium | high | critical

Detection Syntax

Basic Field Matching

detection:
    selection:
        FieldName: 'value'
FieldName == "value"

Modifiers

ModifierDescriptionLogpresso Conversion
containsSubstring matchcontains(field, "value")
startswithPrefix matchfield == "value*"
endswithSuffix matchfield == "*value"
reRegular expressionmatch(field, "pattern")
cidrIP range matchnetwork(field, prefix) == ip("addr")
base64Match after Base64 decodingdecode(frombase64(field)) == "value"
allAll values with AND conditionEach value joined with AND

Example:

detection:
    selection:
        CommandLine|contains: 'mimikatz'
        Image|endswith: '\cmd.exe'
| search contains(CommandLine, "mimikatz")
| search Image == "*\\cmd.exe"

Multiple Values (OR Condition)

detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
(Image == "*\\cmd.exe" or Image == "*\\powershell.exe")

Condition Expressions

ExpressionDescription
selectionReference to the selection
selection1 and selection2Both conditions must be met
selection1 or selection2Either condition must be met
not selectionNegate the condition
1 of selection_*At least 1 of the pattern-matched selections
all of selection_*All pattern-matched selections must be met

Example:

detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_child:
        Image|endswith: '\cmd.exe'
    filter:
        CommandLine|contains: 'legitimate'
    condition: selection_parent and selection_child and not filter

Logpresso Query Conversion Rules

AND Condition Separation

Top-level AND conditions are separated into individual | search commands:

condition: selection1 and selection2
| search (selection1 condition)
| search (selection2 condition)

OR Condition Grouping

OR conditions are grouped with parentheses:

condition: selection1 or selection2
| search ((selection1 condition) or (selection2 condition))

NOT Condition

condition: selection and not filter
| search (selection condition)
| search not(filter condition)

Of Expression

detection:
    selection_1:
        Field: 'value1'
    selection_2:
        Field: 'value2'
    condition: 1 of selection_*
| search ((Field == "value1") or (Field == "value2"))

Field Mapping

Sigma field names are mapped to Logpresso normalized fields.

process_creation Category Example

Sigma FieldLogpresso Field
Imageimage_path
ParentImageparent_image_path
CommandLinecmd_line
Useruser
ProcessIdpid

Unsupported Features

The following features are currently not converted:

  • Keyword Matching: Format that lists strings without field names

    detection:
        keywords:
            - 'suspicious string'
    
  • Aggregation Conditions: Aggregate functions such as count, sum

    condition: selection | count() > 10
    

These rules will have the query field displayed as null.