Sigma: Generic signature format for SIEM systems
YAML-based detection rules with SIEM query conversion.
Learn more about sigma
Sigma is a structured rule format designed to describe log-based detection methods in a platform-independent way. Rules are written in YAML and define patterns for identifying suspicious or malicious activity across log events. The format includes conversion tools that translate Sigma rules into native query languages for various SIEM systems including Elasticsearch, Splunk, and others. The repository maintains over 3000 community-contributed rules organized by category: generic detections, threat hunting rules, emerging threat rules, compliance rules, and placeholder rules.
Multi-SIEM Backend Conversion
Write detection rules once in YAML and convert to native query languages for Elasticsearch, Splunk, and other SIEMs through modular backends. Eliminates manual rewriting of detections across different platforms.
Community Rule Repository
Over 3000 peer-reviewed detection rules covering threat categories and compliance frameworks, organized and maintained by the community. Production-ready rules available without licensing costs or vendor lock-in.
Structured YAML Specification
Standardized schema supports flexible field matching, logical operators, and metadata tagging in human-readable format. Rules are simultaneously readable by analysts and parseable by automated tooling.
from sigma.rule import SigmaRule
rule = SigmaRule.from_yaml("""
title: Failed SSH Login
logsource:
product: linux
service: sshd
detection:
selection:
message: 'Failed password'
condition: selection
level: low
""")
print(f"Rule: {rule.title}")
print(f"Level: {rule.level}")Adds 36 detection rules (AWS, Linux, Windows), removes 4 deprecated rules, and fixes 20+ false-positive filters across Office, PowerShell, and network detections.
- –Remove deprecated rules for Azure credential modification, PowerShell downloads, and Office AD parsing before upgrading detection pipelines.
- –Review new AWS console/MFA, Linux CVE-2025-32463, and EDR-Freeze rules to align alerting thresholds with your environment.
Adds 42 new detection rules covering recent CVEs (CrushFTP RCE CVE-2025-54309, SharePoint ToolShell CVE-2025-53770, library-ms CVE-2025-24054) and 39 rule updates expanding coverage for Invoke-RestMethod, RTLO abuse, and Kerberos downgrade detection.
- –Deploy new rules for CrushFTP RCE, SharePoint ToolShell, and library-ms exploits to detect active exploitation attempts.
- –Review updated rules now detecting Invoke-RestMethod alongside Invoke-WebRequest for PowerShell download cradles and exfiltration patterns.
Adds 44 new detection rules (Kerberos coercion, CVE-2025-33053, Katz Stealer, MeshAgent RAT) and updates 33 existing rules for broader coverage and reduced false positives.
- –Deploy new rules for CVE-2025-33053 RCE exploitation, Kerberos DNS SPN spoofing coercion, and Katz Stealer malware indicators.
- –Review updated PowerShell commandlet detections (BadSuccessor, Invoke-PowerDPAPI) and Windows Defender registry tampering coverage.
Top in Security
Related Repositories
Discover similar tools and frameworks used by developers
gitleaks
Regex-based secret scanner for git repositories.
httpx
Fast HTTP probing with response metadata extraction.
fingerprintjs
Client-side JavaScript library for browser fingerprinting and visitor identification.
grype
Detect vulnerabilities in container images and filesystems.
ghidra
NSA's open-source tool for analyzing compiled binaries.