Skip to content

Contributing

One of the best features about the Sigma format how easy anyone can start sharing detections with the wider security community. However, each community will enforce some guidelines around how to best contribute to each Sigma Rule repository online.

SigmaHQ Rule Repository

If you haven't already checked it out, visit the SigmaHQ Rule Repository to check out the hundreds of available detections.

Submission to SigmaHQ

Checklist

The best way to get your Sigma rule accepted within SigmaHQ's rule repository, is follow the below checklist to ensure it adheres to the standards the community has set for those rules.

1.
Your rule must adhere to the correct layout.
Whilst the Sigma format allows you to set your own fields and values for use within your own environments, when sharing throughout the community – it's required that each rule being submitted adheres to the SigmaHQ Rule Conventions. This covers thing such as See the detailed requirements on Github
2.
Your rule must adhere the file naming scheme.
For each logsource, SigmaHQ enforces a naming scheme for how rule files are to be named. Ensure your rule is named correctly by following the SigmaHQ Filename Normalisation guide on Github. See the detailed file-name requirements on Github
3.
You're ready to open up a PR for your rule.
If you've finished writing your Sigma rule, and it adheres to points #1 and #2, you're ready to open up a Pull Request under the SigmaHQ repository. Open a new PR on SigmaHQ