Security Tools

Sigma Rule Generator

Draft Sigma detection rules in YAML format.

beginner5 minRuns in your browser

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only

Rule definition

Live YAML

suspicious_powershell_download.yml

id: 9eea1a76-cd79-4ef4-bd61-e4903d118b1e

title: Suspicious PowerShell Download
id: 9eea1a76-cd79-4ef4-bd61-e4903d118b1e
status: experimental
description: Detects encoded PowerShell download cradle
logsource:
  product: windows
  service: security
detection:
  selection:
    CommandLine|contains: 'DownloadString'
  condition: selection
level: medium
tags:
  - attack.execution
  - attack.t1059.001

Detection templates

Sigma rules

Sigma is a vendor-neutral detection format. Export YAML to your SIEM converter (Splunk, Elastic, Chronicle) or the Sigma CLI. This generator covers simple contains conditions — extend for complex logic in your editor.

Rule ID stays stable until you click refresh — required for Sigma rule management and versioning.

Documentation

How to use this tool, practical use cases, and technical notes.

Creating a Sigma rule with this tool takes approximately 5 minutes. Here is a complete step-by-step walkthrough, including guidance on making effective choices at each configuration step.

Step 1 — Choose a Detection Template (Optional)

Start by selecting one of the four built-in detection templates if your use case matches a common scenario:

Template

When to Use It

PowerShell download

Detecting download cradles, encoded PowerShell, living-off-the-land binaries using DownloadString, IEX, or Invoke-WebRequest

SSH brute force

Detecting repeated failed authentication attempts against SSH on Linux hosts

Registry run key

Detecting persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run or similar autorun locations

Web shell upload

Detecting suspicious file uploads with .php, .jsp, .aspx extensions in web server directories

Selecting a template pre-populates the Rule definition fields with sensible defaults. You can override any field after selecting a template. If your use case doesn't match a template, leave the template unselected and fill in all fields manually.

Step 2 — Write Your Title

The title appears as the human-readable name for the rule in your SIEM and in any rule repositories where you publish it. Follow these conventions for professional-quality titles:

Good Title Practice

Example

Start with an action verb describing what is detected

Detects, Suspicious, Potential

Be specific enough to distinguish from similar rules

Suspicious PowerShell DownloadString Cradle not PowerShell Activity

Include the platform or context when relevant

Windows — Registry Run Key Persistence

Avoid abbreviations that aren't universally understood

Write Command and Control not C2 in titles

Keep under 80 characters

Titles truncate in many SIEM interfaces

Step 3 — Write Your Description

The description field is your opportunity to explain what the rule detects, why it matters, and what an analyst should investigate when it fires. A good description reduces mean time to respond (MTTR) because the analyst doesn't need to reverse-engineer the rule logic to understand the alert.

Description template:

Detects [specific behavior] on [platform/log source] which may indicate 
[attack technique or threat actor behavior]. Investigate [what to look at] 
and check for [related indicators].

Example:

Detects use of PowerShell DownloadString method in command-line arguments, 
which is commonly used in download cradle techniques to pull and execute 
payloads from remote URLs. Investigate the source URL and parent process. 
Check for lateral movement or staged payload delivery.

Step 4 — Select Your Log Source

The log source defines which platform and log category the rule applies to. This is one of the most important fields in a Sigma rule because it determines which events the rule is evaluated against during SIEM conversion:

Log Source Option

Product

Service

Typical Log Format

Common SIEM Source

Windows

windows

security

Windows Event Log

Winlogbeat, NXLog, Windows Event Collector

Linux

linux

auth

Syslog / journald

Filebeat, rsyslog, Fluentd

macOS

macos

Unified Log, Syslog

Osquery, Fluentd

AWS

aws

cloudtrail

JSON (CloudTrail)

Kinesis, Splunk AWS Add-on

Nginx

nginx

Access/error logs

Filebeat Nginx module

Choosing the right log source is critical. A rule with product: windows will not match Linux auth logs, even if the detection keyword appears in both. If you need to detect the same behavior across multiple platforms, create separate rules for each log source.

Step 5 — Set Severity Level

Choose the severity level that reflects how urgently this rule should be triaged when it fires. The severity field maps to alert priority in most SIEMs:

Level

Meaning

Typical SIEM Priority

Analyst Response Expectation

informational

Baseline / audit events; low signal value alone

Low / Info

Review in daily triage, batch processing

low

Weak indicators; high false positive rate expected

Low

Review weekly or in batch

medium

Moderate confidence; investigate in context

Medium

Review within business hours

high

Strong indicator of malicious activity

High

Respond within 1–4 hours

critical

Near-certain malicious activity; immediate threat

Critical / P1

Immediate response required

Calibrating severity honestly: Most new detection rules should start at medium or low until you have observed their false positive rate in your environment. Setting everything to high or critical causes alert fatigue and trains analysts to ignore severity levels.

Step 6 — Select the Detection Field

The detection field specifies which field in the log event the keyword will be matched against. Choosing the right field determines whether the rule will actually fire on the events you're targeting:

Detection Field

What It Represents

Relevant Log Source

Example Value

CommandLine

Full command line including arguments passed to the process

Windows (Sysmon Event ID 1, Security 4688)

powershell.exe -enc JABj...

Image

Full path to the executable image

Windows (Sysmon Event ID 1, 7)

C:\Windows\System32\cmd.exe

TargetObject

Registry key or value being modified

Windows (Sysmon Event ID 13)

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\malware

EventID

Numeric Windows Event ID

Windows Security / System

4625 (failed logon)

Field availability depends on your log collection configuration. CommandLine enrichment requires Windows Security audit policy 4688 with command line logging enabled, or Sysmon Event ID 1. Without the right logging configuration, rules targeting these fields will never fire even if the attack occurs.

Step 7 — Enter Your Detection Keyword

This is the string that will be searched for in the selected detection field using a contains match. The generated rule will use the |contains modifier, which performs a case-insensitive substring match.

Keyword Type

Example

Notes

Specific function name

DownloadString

High precision, low false positives

File path fragment

\AppData\Roaming\

Moderate precision; used for persistence paths

Command fragment

-enc (encoded PowerShell)

Lower precision; combine with Image field

Registry path

CurrentVersion\Run

High precision for run key persistence

Network indicator

http:// in CommandLine

Useful but broad; tune with additional conditions

Suspicious flag

--no-auth

Very specific; very low FP rate

Avoid keywords that are too broad. A keyword like powershell in the CommandLine field will match virtually every PowerShell execution in your environment and generate enormous false positive volume.

Step 8 — Add MITRE ATT&CK Tags

Enter MITRE ATT&CK technique IDs as comma-separated values. The tool formats them correctly as attack.tXXXX.XXX in the generated YAML. Tagging rules with ATT&CK techniques enables:

  • Coverage mapping in tools like MITRE ATT&CK Navigator

  • Automatic technique enrichment in SIEMs that parse Sigma tags

  • Filtering and grouping rules by tactic or technique in rule repositories

Tag format examples

What You Type

Generated Tag

Technique Name

t1059.001

attack.t1059.001

PowerShell

t1110

attack.t1110

Brute Force

t1547.001

attack.t1547.001

Registry Run Keys / Startup Folder

t1505.003

attack.t1505.003

Web Shell

execution

attack.execution

Tactic-level tag

You can include both tactic-level tags (e.g., attack.execution) and technique-level tags (e.g., attack.t1059.001) in the same rule for maximum discoverability.

Step 9 — Review the Live YAML

As you fill in the form fields, the YAML preview updates in real time. Review the complete output for:

  • Correct field indentation (YAML is whitespace-sensitive)

  • Logical accuracy of the detection block

  • Appropriate severity for your environment

  • Presence of the stable rule UUID (id field)

Step 10 — Copy and Export

Click "Copy YAML" to copy the rule to your clipboard. From there you can:

Next Step

How

Convert to Splunk

sigma convert -t splunk rule.yml

Convert to Elastic

sigma convert -t elasticsearch rule.yml

Convert to Sentinel

sigma convert -t sentinelasim rule.yml

Convert to Chronicle

sigma convert -t chronicle rule.yml

Save to rule repository

Paste into .yml file; commit to Git

Submit to SigmaHQ

Fork github.com/SigmaHQ/sigma; open a PR

Extend in editor

Add falsepositives, author, date, references fields

The Rule ID: The UUID in the id field remains stable until you click the refresh button. Never change a rule's id after it has been deployed — it is the stable identifier used for rule management, deduplication, and versioning across rule repositories and SIEM platforms.