Sigma
Documentation

Appearance

Frequently Asked Questions

We've compiled a list of frequently asked questions to help you get started with Sigma. If your question isn't answered here, please reach out to us on Discord or GitHub.

Conversion

  • "Is it possible to convert queries from SIEM format X to Sigma?"
    There isn't a straightforward way to do this. While it's possible to generate rules from queries using AI tools or other utilities, the results are often basic and may require significant rework or correction.

Detection

  • "Why should we use category: process_creation instead of service: sysmon when using Sysmon?"
    You can actually use either! Sigma aims to provide platform-agnostic rules. The process_creation category works with Windows Security EventID 4688, Sysmon EventID 1, and even custom EDR logs.

  • "Since we use ECS, why not write rules using ECS format?"
    Sigma's scope extends beyond any single taxonomy, with ECS being just one of many available field naming schemes. We've discussed this topic in detail in our Medium article.

    While you're free to use ECS or any other field naming scheme for your custom rules, contributions to the main Sigma rules repository must follow the Sigma Taxonomy.

Correlation Rules

Below are examples of common correlation rule patterns. For detailed information, please refer to the Correlation section.

  • "How do I write a rule where X triggers at least Y times in B minutes for the same field Z with different values for field A?"
yaml
correlation:
  type: value_count
  rules:
    - X
  group-by:
    - Z
  timespan: Bm
  condition:
    field: A
    gte: Y
  • "How do I write a rule where X triggers at least Y times in B minutes for the same field Z?"
yaml
correlation:
  type: value_count
  rules:
    - X
  group-by:
    - Z
  timespan: Bm
  condition:
    gte: Y
  • "How do I write a rule where Rules X and Y trigger in the last B minutes for the same field Z?"
yaml
correlation:
  type: temporal
  rules:
    - X
    - Y
  group-by:
    - Z
  timespan: Bm
  condition:
    gte: Y
  • "How do I write a rule where Rule X triggers followed by Rule Y within B minutes for the same field Z?"
yaml
correlation:
  type: temporal_ordered
  rules:
    - X
    - Y
  group-by:
    - Z
  timespan: Bm
  condition:
    gte: Y

Copyright © 2020-present SigmaHQ