Skip to content

Open Source

SIEM Detection Format

The shareable
detection format for
security professionals.

Get the most out of the Sigma ecosystem in your SIEM, and start using thousands of great security detections from the community and beyond.

title: AWS Root Credentials
description: Detects AWS root account usage
    product: aws
    service: cloudtrail
        userIdentity.type: Root
        eventType: AwsServiceEvent
    condition: selection and not filter
    - AWS Tasks That Require Root User Credentials
level: medium
sigma convert ‑t splunk ‑p config.yml ...
sourcetype="aws:cloudtrail" userIdentity.type="Root"
NOT eventType="AwsServiceEvent"

What is Sigma?

Share detectable malicious behaviour.

Sigma is a generic, open, and structured detection format that allows security teams to detect relevant log events in a simple and shareable way.

Learn more about Sigma


Explore the Sigma Ecosystem


The upcoming Sigma projects, developments and services.


Community project that use and extend the Sigma ecosystem.


Sigma would not be possible without the hard work and dedications of hundreds of online contributors through Github.
If you would like to support the project in any way, please visit our contribute guide on the sigma documentation page.