Sigma is an open, vendor-neutral detection rule format. One rule, compiled to dozens of SIEM query languages.
The Top-Level Keys
Every Sigma rule is a YAML file with a consistent structure:
title: Suspicious PowerShell Execution
id: 6c9e2b4f-8a1d-4e73-b0cd-1234567890ab
status: experimental
description: Detects encoded PowerShell commands often used in initial access.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: '-EncodedCommand'
condition: selection
falsepositives:
- Legitimate admin automation
level: medium
tags:
- attack.execution
- attack.t1059.001The logsource Block
The logsource block abstracts where to search. You specify a category (e.g. process_creation, network_connection) and a product (e.g. windows, linux). The Sigma backend handles mapping these to the correct index and field names for your SIEM.
The detection Block
Detection is where the matching logic lives. You define one or more named selection sets, then combine them with a condition.
detection:
powershell_exec:
Image|endswith: '\powershell.exe'
encoded_cmd:
CommandLine|contains: '-EncodedCommand'
condition: powershell_exec and encoded_cmdField Modifiers
Sigma field modifiers change how the match is performed:
| Modifier | Behaviour |
|---|---|
contains | substring match |
startswith | prefix match |
endswith | suffix match |
re | regex match |
all | ALL items in list must match |
Rule Status Levels
Sigma rules carry a status field that signals production-readiness:
unsupported— placeholder, not readytest— needs more real-world validationexperimental— works but may have FPsstable— extensively tested, low FP rate