Documentation
How to use this tool, practical use cases, and technical notes.
Creating a Sigma rule with this tool takes approximately 5 minutes. Here is a complete step-by-step walkthrough, including guidance on making effective choices at each configuration step.
Step 1 — Choose a Detection Template (Optional)
Start by selecting one of the four built-in detection templates if your use case matches a common scenario:
Template | When to Use It |
|---|---|
PowerShell download | Detecting download cradles, encoded PowerShell, living-off-the-land binaries using |
SSH brute force | Detecting repeated failed authentication attempts against SSH on Linux hosts |
Registry run key | Detecting persistence via |
Web shell upload | Detecting suspicious file uploads with .php, .jsp, .aspx extensions in web server directories |
Selecting a template pre-populates the Rule definition fields with sensible defaults. You can override any field after selecting a template. If your use case doesn't match a template, leave the template unselected and fill in all fields manually.
Step 2 — Write Your Title
The title appears as the human-readable name for the rule in your SIEM and in any rule repositories where you publish it. Follow these conventions for professional-quality titles:
Good Title Practice | Example |
|---|---|
Start with an action verb describing what is detected |
|
Be specific enough to distinguish from similar rules |
|
Include the platform or context when relevant |
|
Avoid abbreviations that aren't universally understood | Write |
Keep under 80 characters | Titles truncate in many SIEM interfaces |
Step 3 — Write Your Description
The description field is your opportunity to explain what the rule detects, why it matters, and what an analyst should investigate when it fires. A good description reduces mean time to respond (MTTR) because the analyst doesn't need to reverse-engineer the rule logic to understand the alert.
Description template:
Detects [specific behavior] on [platform/log source] which may indicate
[attack technique or threat actor behavior]. Investigate [what to look at]
and check for [related indicators].Example:
Detects use of PowerShell DownloadString method in command-line arguments,
which is commonly used in download cradle techniques to pull and execute
payloads from remote URLs. Investigate the source URL and parent process.
Check for lateral movement or staged payload delivery.Step 4 — Select Your Log Source
The log source defines which platform and log category the rule applies to. This is one of the most important fields in a Sigma rule because it determines which events the rule is evaluated against during SIEM conversion:
Log Source Option | Product | Service | Typical Log Format | Common SIEM Source |
|---|---|---|---|---|
Windows | windows | security | Windows Event Log | Winlogbeat, NXLog, Windows Event Collector |
Linux | linux | auth | Syslog / journald | Filebeat, rsyslog, Fluentd |
macOS | macos | — | Unified Log, Syslog | Osquery, Fluentd |
AWS | aws | cloudtrail | JSON (CloudTrail) | Kinesis, Splunk AWS Add-on |
Nginx | nginx | — | Access/error logs | Filebeat Nginx module |
Choosing the right log source is critical. A rule with product: windows will not match Linux auth logs, even if the detection keyword appears in both. If you need to detect the same behavior across multiple platforms, create separate rules for each log source.
Step 5 — Set Severity Level
Choose the severity level that reflects how urgently this rule should be triaged when it fires. The severity field maps to alert priority in most SIEMs:
Level | Meaning | Typical SIEM Priority | Analyst Response Expectation |
|---|---|---|---|
informational | Baseline / audit events; low signal value alone | Low / Info | Review in daily triage, batch processing |
low | Weak indicators; high false positive rate expected | Low | Review weekly or in batch |
medium | Moderate confidence; investigate in context | Medium | Review within business hours |
high | Strong indicator of malicious activity | High | Respond within 1–4 hours |
critical | Near-certain malicious activity; immediate threat | Critical / P1 | Immediate response required |
Calibrating severity honestly: Most new detection rules should start at medium or low until you have observed their false positive rate in your environment. Setting everything to high or critical causes alert fatigue and trains analysts to ignore severity levels.
Step 6 — Select the Detection Field
The detection field specifies which field in the log event the keyword will be matched against. Choosing the right field determines whether the rule will actually fire on the events you're targeting:
Detection Field | What It Represents | Relevant Log Source | Example Value |
|---|---|---|---|
CommandLine | Full command line including arguments passed to the process | Windows (Sysmon Event ID 1, Security 4688) |
|
Image | Full path to the executable image | Windows (Sysmon Event ID 1, 7) |
|
TargetObject | Registry key or value being modified | Windows (Sysmon Event ID 13) |
|
EventID | Numeric Windows Event ID | Windows Security / System |
|
Field availability depends on your log collection configuration. CommandLine enrichment requires Windows Security audit policy 4688 with command line logging enabled, or Sysmon Event ID 1. Without the right logging configuration, rules targeting these fields will never fire even if the attack occurs.
Step 7 — Enter Your Detection Keyword
This is the string that will be searched for in the selected detection field using a contains match. The generated rule will use the |contains modifier, which performs a case-insensitive substring match.
Keyword Type | Example | Notes |
|---|---|---|
Specific function name |
| High precision, low false positives |
File path fragment |
| Moderate precision; used for persistence paths |
Command fragment |
| Lower precision; combine with Image field |
Registry path |
| High precision for run key persistence |
Network indicator |
| Useful but broad; tune with additional conditions |
Suspicious flag |
| Very specific; very low FP rate |
Avoid keywords that are too broad. A keyword like powershell in the CommandLine field will match virtually every PowerShell execution in your environment and generate enormous false positive volume.
Step 8 — Add MITRE ATT&CK Tags
Enter MITRE ATT&CK technique IDs as comma-separated values. The tool formats them correctly as attack.tXXXX.XXX in the generated YAML. Tagging rules with ATT&CK techniques enables:
Coverage mapping in tools like MITRE ATT&CK Navigator
Automatic technique enrichment in SIEMs that parse Sigma tags
Filtering and grouping rules by tactic or technique in rule repositories
Tag format examples
What You Type | Generated Tag | Technique Name |
|---|---|---|
|
| PowerShell |
|
| Brute Force |
|
| Registry Run Keys / Startup Folder |
|
| Web Shell |
|
| Tactic-level tag |
You can include both tactic-level tags (e.g., attack.execution) and technique-level tags (e.g., attack.t1059.001) in the same rule for maximum discoverability.
Step 9 — Review the Live YAML
As you fill in the form fields, the YAML preview updates in real time. Review the complete output for:
Correct field indentation (YAML is whitespace-sensitive)
Logical accuracy of the
detectionblockAppropriate severity for your environment
Presence of the stable rule UUID (
idfield)
Step 10 — Copy and Export
Click "Copy YAML" to copy the rule to your clipboard. From there you can:
Next Step | How |
|---|---|
Convert to Splunk |
|
Convert to Elastic |
|
Convert to Sentinel |
|
Convert to Chronicle |
|
Save to rule repository | Paste into |
Submit to SigmaHQ | Fork github.com/SigmaHQ/sigma; open a PR |
Extend in editor | Add |
The Rule ID: The UUID in the id field remains stable until you click the refresh button. Never change a rule's id after it has been deployed — it is the stable identifier used for rule management, deduplication, and versioning across rule repositories and SIEM platforms.
Creating a Sigma rule with this tool takes approximately 5 minutes. Here is a complete step-by-step walkthrough, including guidance on making effective choices at each configuration step.
Step 1 — Choose a Detection Template (Optional)
Start by selecting one of the four built-in detection templates if your use case matches a common scenario:
Template | When to Use It |
|---|---|
PowerShell download | Detecting download cradles, encoded PowerShell, living-off-the-land binaries using |
SSH brute force | Detecting repeated failed authentication attempts against SSH on Linux hosts |
Registry run key | Detecting persistence via |
Web shell upload | Detecting suspicious file uploads with .php, .jsp, .aspx extensions in web server directories |
Selecting a template pre-populates the Rule definition fields with sensible defaults. You can override any field after selecting a template. If your use case doesn't match a template, leave the template unselected and fill in all fields manually.
Step 2 — Write Your Title
The title appears as the human-readable name for the rule in your SIEM and in any rule repositories where you publish it. Follow these conventions for professional-quality titles:
Good Title Practice | Example |
|---|---|
Start with an action verb describing what is detected |
|
Be specific enough to distinguish from similar rules |
|
Include the platform or context when relevant |
|
Avoid abbreviations that aren't universally understood | Write |
Keep under 80 characters | Titles truncate in many SIEM interfaces |
Step 3 — Write Your Description
The description field is your opportunity to explain what the rule detects, why it matters, and what an analyst should investigate when it fires. A good description reduces mean time to respond (MTTR) because the analyst doesn't need to reverse-engineer the rule logic to understand the alert.
Description template:
Detects [specific behavior] on [platform/log source] which may indicate
[attack technique or threat actor behavior]. Investigate [what to look at]
and check for [related indicators].Example:
Detects use of PowerShell DownloadString method in command-line arguments,
which is commonly used in download cradle techniques to pull and execute
payloads from remote URLs. Investigate the source URL and parent process.
Check for lateral movement or staged payload delivery.Step 4 — Select Your Log Source
The log source defines which platform and log category the rule applies to. This is one of the most important fields in a Sigma rule because it determines which events the rule is evaluated against during SIEM conversion:
Log Source Option | Product | Service | Typical Log Format | Common SIEM Source |
|---|---|---|---|---|
Windows | windows | security | Windows Event Log | Winlogbeat, NXLog, Windows Event Collector |
Linux | linux | auth | Syslog / journald | Filebeat, rsyslog, Fluentd |
macOS | macos | — | Unified Log, Syslog | Osquery, Fluentd |
AWS | aws | cloudtrail | JSON (CloudTrail) | Kinesis, Splunk AWS Add-on |
Nginx | nginx | — | Access/error logs | Filebeat Nginx module |
Choosing the right log source is critical. A rule with product: windows will not match Linux auth logs, even if the detection keyword appears in both. If you need to detect the same behavior across multiple platforms, create separate rules for each log source.
Step 5 — Set Severity Level
Choose the severity level that reflects how urgently this rule should be triaged when it fires. The severity field maps to alert priority in most SIEMs:
Level | Meaning | Typical SIEM Priority | Analyst Response Expectation |
|---|---|---|---|
informational | Baseline / audit events; low signal value alone | Low / Info | Review in daily triage, batch processing |
low | Weak indicators; high false positive rate expected | Low | Review weekly or in batch |
medium | Moderate confidence; investigate in context | Medium | Review within business hours |
high | Strong indicator of malicious activity | High | Respond within 1–4 hours |
critical | Near-certain malicious activity; immediate threat | Critical / P1 | Immediate response required |
Calibrating severity honestly: Most new detection rules should start at medium or low until you have observed their false positive rate in your environment. Setting everything to high or critical causes alert fatigue and trains analysts to ignore severity levels.
Step 6 — Select the Detection Field
The detection field specifies which field in the log event the keyword will be matched against. Choosing the right field determines whether the rule will actually fire on the events you're targeting:
Detection Field | What It Represents | Relevant Log Source | Example Value |
|---|---|---|---|
CommandLine | Full command line including arguments passed to the process | Windows (Sysmon Event ID 1, Security 4688) |
|
Image | Full path to the executable image | Windows (Sysmon Event ID 1, 7) |
|
TargetObject | Registry key or value being modified | Windows (Sysmon Event ID 13) |
|
EventID | Numeric Windows Event ID | Windows Security / System |
|
Field availability depends on your log collection configuration. CommandLine enrichment requires Windows Security audit policy 4688 with command line logging enabled, or Sysmon Event ID 1. Without the right logging configuration, rules targeting these fields will never fire even if the attack occurs.
Step 7 — Enter Your Detection Keyword
This is the string that will be searched for in the selected detection field using a contains match. The generated rule will use the |contains modifier, which performs a case-insensitive substring match.
Keyword Type | Example | Notes |
|---|---|---|
Specific function name |
| High precision, low false positives |
File path fragment |
| Moderate precision; used for persistence paths |
Command fragment |
| Lower precision; combine with Image field |
Registry path |
| High precision for run key persistence |
Network indicator |
| Useful but broad; tune with additional conditions |
Suspicious flag |
| Very specific; very low FP rate |
Avoid keywords that are too broad. A keyword like powershell in the CommandLine field will match virtually every PowerShell execution in your environment and generate enormous false positive volume.
Step 8 — Add MITRE ATT&CK Tags
Enter MITRE ATT&CK technique IDs as comma-separated values. The tool formats them correctly as attack.tXXXX.XXX in the generated YAML. Tagging rules with ATT&CK techniques enables:
Coverage mapping in tools like MITRE ATT&CK Navigator
Automatic technique enrichment in SIEMs that parse Sigma tags
Filtering and grouping rules by tactic or technique in rule repositories
Tag format examples
What You Type | Generated Tag | Technique Name |
|---|---|---|
|
| PowerShell |
|
| Brute Force |
|
| Registry Run Keys / Startup Folder |
|
| Web Shell |
|
| Tactic-level tag |
You can include both tactic-level tags (e.g., attack.execution) and technique-level tags (e.g., attack.t1059.001) in the same rule for maximum discoverability.
Step 9 — Review the Live YAML
As you fill in the form fields, the YAML preview updates in real time. Review the complete output for:
Correct field indentation (YAML is whitespace-sensitive)
Logical accuracy of the
detectionblockAppropriate severity for your environment
Presence of the stable rule UUID (
idfield)
Step 10 — Copy and Export
Click "Copy YAML" to copy the rule to your clipboard. From there you can:
Next Step | How |
|---|---|
Convert to Splunk |
|
Convert to Elastic |
|
Convert to Sentinel |
|
Convert to Chronicle |
|
Save to rule repository | Paste into |
Submit to SigmaHQ | Fork github.com/SigmaHQ/sigma; open a PR |
Extend in editor | Add |
The Rule ID: The UUID in the id field remains stable until you click the refresh button. Never change a rule's id after it has been deployed — it is the stable identifier used for rule management, deduplication, and versioning across rule repositories and SIEM platforms.