Sigma’s power comes from its abstraction layer. The same rule works across SIEM platforms because Sigma backends translate logsource definitions and field names automatically.
How Backends Resolve Fields
When you compile a Sigma rule, the backend does three things:
- Resolves the logsource — maps
category: process_creation, product: windowsto the correct index/dataset (e.g.Sysmon Event 1,win-evin QRadar) - Maps field names — translates Sigma field names (e.g.
Image) to platform-specific names (e.g.process.executablein Elastic) - Translates modifiers — converts
containsto*value*orLIKE '%value%'depending on the backend
Common Logsource Categories
logsource:
category: process_creation # Process started
category: network_connection # Outbound TCP/UDP
category: dns_query # DNS lookup
category: file_event # File created/modified
category: registry_event # Registry key changed
category: image_load # DLL/module loadedWriting Platform-Agnostic Rules
Best practices for maximum portability:
- Use standard field names — stick to the canonical Sigma field names from the spec
- Avoid platform-specific syntax — no SPL
eval, no KQLproject - Test with multiple backends — compile your rule against at least 2-3 targets before marking
status: stable - Document false positives — the
falsepositivesfield is mandatory forstablerules