liminfo

Sigma Rules Reference

Free reference guide: Sigma Rules Reference

26 results

About Sigma Rules Reference

The Sigma Rules Reference is a searchable cheat sheet covering the complete Sigma detection rule language used across SIEM platforms. It includes logsource definitions for Windows, Linux, proxy, firewall, and DNS, detection selection and filter logic, condition operators, value modifiers like contains, endswith, startswith, re, base64, and all, plus aggregation functions with timeframe support.

Beyond core syntax, this reference covers sigma-cli conversion commands for translating Sigma rules into Splunk SPL queries, Elasticsearch Lucene/DSL queries, and QRadar AQL statements. Security analysts can quickly look up how to combine selections with AND/OR logic, use pattern-matching conditions like "1 of selection*", or apply count-based aggregation with grouped-by fields.

This tool is built for SOC analysts, threat hunters, detection engineers, and security researchers who write and maintain Sigma rules for cross-platform threat detection. All content is browsable, filterable by category, and runs entirely in the browser with no server processing.

Key Features

  • Logsource definitions for Windows, Linux, proxy, firewall, and DNS event categories
  • Detection logic examples with selection, filter, keywords, and OR combinations
  • Condition operators including "all of them", "1 of them", NOT, and wildcard pattern matching
  • Value modifiers reference: contains, endswith, startswith, re, base64, and all
  • Aggregation functions with count(), count(field) by, and timeframe settings
  • Sigma-cli conversion examples for Splunk, Elasticsearch, and QRadar output targets
  • Filterable categories: Log Sources, Detection, Conditions, Modifiers, Aggregation, Conversion
  • Fully client-side with dark mode support across desktop, tablet, and mobile devices

Frequently Asked Questions

What is the Sigma rule language?

Sigma is a generic, open-source signature format for SIEM systems. It allows security analysts to write detection rules once and convert them to platform-specific queries for Splunk, Elasticsearch, QRadar, Microsoft Sentinel, and other SIEM tools using sigma-cli or pySigma backends.

How do I define a logsource in a Sigma rule?

A logsource block specifies the product (e.g., windows, linux), service (e.g., security, syslog), and category (e.g., process_creation, proxy). This reference includes ready-to-use logsource templates for Windows event logs, Linux syslog, proxy/web filters, firewall traffic, and DNS queries.

What is the difference between selection and filter in Sigma detection?

A selection defines the positive matching criteria (what you want to detect), while a filter defines exclusion criteria. They are combined in the condition block, typically as "selection and not filter", to reduce false positives while catching true threats.

How do Sigma value modifiers work?

Value modifiers are appended to field names with a pipe character. For example, CommandLine|contains matches substrings, Image|endswith matches file path endings, |re applies regex patterns, |base64 detects encoded values, and |contains|all requires all listed values to be present in the field.

What does "1 of selection*" mean in a Sigma condition?

The "1 of selection*" syntax uses wildcard pattern matching to combine multiple named selections. It triggers if any one of the selections whose names start with "selection" matches. Similarly, "all of them" requires every defined selection to match simultaneously.

How do I use aggregation and timeframe in Sigma rules?

Aggregation conditions like "selection | count() > 10" with a timeframe of "5m" detect events exceeding a threshold within a time window. You can also group by fields, such as "count(TargetUserName) by SourceIP > 5" to detect brute-force patterns per source IP.

How do I convert Sigma rules to Splunk or Elasticsearch queries?

Use sigma-cli with the appropriate target backend: "sigma convert -t splunk -p sysmon rule.yml" for Splunk SPL, "sigma convert -t lucene rule.yml" for Elasticsearch Lucene syntax, or "sigma convert -t elasticsearch-dsl rule.yml" for Elasticsearch DSL format. This reference shows example output for each.

Is this Sigma reference free to use?

Yes, this Sigma Rules Reference is completely free with no account required. It runs entirely in your browser, so no rule data is uploaded to any server. It is part of liminfo.com's collection of free developer and security tools.