Sigma
Detection Format

Appearance

Open Source

Introducing new SigmaHQ Rule Packs

SIEM Detection Format

The shareable
detection format for security professionals.

Get the most out of the Sigma ecosystem in your SIEM, and start using thousands of great security detections from the community and beyond.

Get Started Download Sigma Rule Packages 
title: AWS Root Credentials
description: Detects AWS root account usage
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        userIdentity.type: Root
    filter:
        eventType: AwsServiceEvent
    condition: selection and not filter
falsepositives:
    - AWS Tasks That Require Root User Credentials
level: medium
$
sigma convert ‑t splunk ‑p config.yml ...
sourcetype="aws:cloudtrail" userIdentity.type="Root"
NOT eventType="AwsServiceEvent"

What is Sigma?

Share detectable malicious behaviour.

Sigma is a generic, open, and structured detection format that allows security teams to detect relevant log events in a simple and shareable way.

Learn more about Sigma

Learn

DocumentationLearn more about how to use the Sigma detection format.
ResourcesSee many amazing resources – produced by SigmaHQ and the wider Sigma community.
RulesLearn more about how each Sigma rule is composed, and how to detect attackers.

Explore the Sigma Ecosystem

View Sigma Rules Explore the thousands of existing Sigma detections in SigmaHQ/sigma.
SigmaHQ Blog See articles written by the Core SigmaHQ development team.
Specification In DevShape the future of the Sigma specification.

Projects

The upcoming Sigma projects, developments and services.

Community

Community project that use and extend the Sigma ecosystem.

Acknowledgements

Sigma would not be possible without the hard work and dedications of hundreds of online contributors through Github.
If you would like to support the project in any way, please visit our contribute guide on the sigma documentation page.