Sigma: Generic signature format for SIEM systems
YAML-based detection rules with SIEM query conversion.
Learn more about Sigma
Sigma is a structured rule format designed to describe log-based detection methods in a platform-independent way. Rules are written in YAML and define patterns for identifying suspicious or malicious activity across log events. The format includes conversion tools that translate Sigma rules into native query languages for various SIEM systems including Elasticsearch, Splunk, and others. The repository maintains over 3000 community-contributed rules organized by category: generic detections, threat hunting rules, emerging threat rules, compliance rules, and placeholder rules.
Multi-SIEM Backend Conversion
Write detection rules once in YAML and convert to native query languages for Elasticsearch, Splunk, and other SIEMs through modular backends. Eliminates manual rewriting of detections across different platforms.
Community Rule Repository
Over 3000 peer-reviewed detection rules covering threat categories and compliance frameworks, organized and maintained by the community. Production-ready rules available without licensing costs or vendor lock-in.
Structured YAML Specification
Standardized schema supports flexible field matching, logical operators, and metadata tagging in human-readable format. Rules are simultaneously readable by analysts and parseable by automated tooling.
from sigma.rule import SigmaRule
rule = SigmaRule.from_yaml("""
title: Failed SSH Login
logsource:
product: linux
service: sshd
detection:
selection:
message: 'Failed password'
condition: selection
level: low
""")
print(f"Rule: {rule.title}")
print(f"Level: {rule.level}")Adds 35 new security detection rules covering AMSI bypasses, EDR evasion techniques, Linux privilege escalation, and network scanning.
- –new: AMSI Disabled via Registry Modification
- –new: Cmd Launched with Hidden Start Flags to Suspicious Targets
- –new: Devcon Execution Disabling VMware VMCI Device
- –new: Github Self-Hosted Runner Execution
- –new: HTML File Opened From Download Folder
Adds 33 new detection rules covering AWS GuardDuty, macOS malware, Cisco/FortiGate exploits, and ClickFix/FileFix attack patterns.
- –new: AWS GuardDuty Detector Deleted Or Updated
- –new: Atomic MacOS Stealer - FileGrabber Activity
- –new: Atomic MacOS Stealer - Persistence Indicators
- –new: Cisco ASA/FP SSL VPN Exploit (CVE-2025-20333 / CVE-2025-20362) - Proxy
- –new: DNS Query by Finger Utility
Introduces 34 new detection rules covering AWS security monitoring, Linux system manipulation, and Windows lateral movement techniques.
- –new: AWS Bucket Deleted
- –new: AWS Console Login Monitoring
- –new: AWS ConsoleLogin Failed Authentication
- –new: AWS EnableRegion Command Monitoring
- –new: AWS IAM user with Console Access Login Without MFA
Related Repositories
Discover similar tools and frameworks used by developers
Gitleaks
Regex-based secret scanner for git repositories.
Semgrep
Pattern-based code scanner for 30+ languages.
Ghidra
NSA's open-source tool for analyzing compiled binaries.
Nuclei
Template-based multi-protocol security scanner for CI/CD pipelines.
FingerprintJS
Client-side JavaScript library for browser fingerprinting and visitor identification.