Sigma — SIEM

OSS (Detection Rule Licence 1.1) · SigmaHQ · SigmaHQ/sigma · Docs · CLI: SigmaHQ/sigma-cli (LGPL-2.1) for cross-SIEM compilation.

What Sigma does

Sigma is a vendor-neutral signature format for SIEM detection rules. A rule written once in Sigma YAML compiles — via the sigma-cli tool — to Splunk SPL, Elastic Query DSL, Microsoft Sentinel KQL, QRadar AQL, Chronicle, and a long list of other backends. You write the detection logic once and let the toolchain translate it for whichever SIEM you’re paying for this quarter.

Sigma belongs in vulnerability management for the cases where you can’t fix at the code layer and can’t block at the network layer either. The mitigation is detection: you won’t stop the attack, but you’ll see it land the moment it happens. A Sigma rule deployed to your SIEM is evidence that you have visibility into exploitation attempts — which supports an OpenVEX statement of affected with workaround_available, especially while a patch is in flight.

SIEM rules aren’t SBOM components, so the attestation is always OpenVEX.

Rule structure

Writing a detection rule

title: CVE-XXXX-XXXX Path Traversal Attempt
id: a1b2c3d4-0000-0000-0000-000000000001
status: experimental
description: Detects path traversal exploit attempts against CVE-XXXX-XXXX
author: vuln-coordinator
date: 2026-05-14
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
detection:
  selection:
    cs-uri-stem|contains: '/../'
  condition: selection
falsepositives:
  - Legitimate URL encoding edge cases
level: high
title: CVE-XXXX-XXXX Exploitation via Privilege Escalation
id: a1b2c3d4-0000-0000-0000-000000000002
status: test
description: Detects post-exploitation activity from CVE-XXXX-XXXX on Windows
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '\vulnerable_service.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
  condition: selection
level: critical
# Compile Sigma rule to Splunk SPL
sigma convert \
  --target splunk \
  --pipeline splunk_windows \
  CVE-XXXX-XXXX-detection.yaml
# Compile Sigma rule to Elastic Query DSL
sigma convert \
  --target elasticsearch \
  --pipeline ecs_windows \
  CVE-XXXX-XXXX-detection.yaml

Testing the rule

OpenVEX outcome

See also