Sigma Rule Writing
Open, vendor-agnostic YAML format for writing detection rules that transpile to any SIEM platform, enabling portable and community-driven threat detection.
Open, vendor-agnostic YAML format for writing detection rules that transpile to any SIEM platform, enabling portable and community-driven threat detection.
Continue your mission
Sigma is an open, vendor-agnostic signature format for describing log events and detection rules. Sigma rules are written in YAML and can be converted (transpiled) into queries for virtually any SIEM platform -- Splunk SPL, Elastic KQL, Microsoft Sentinel KQL, and dozens more. This portability makes Sigma the lingua franca of detection engineering, allowing security teams to share, reuse, and maintain detection logic independently of their technology stack.
A Sigma rule consists of a title, description, log source definition, detection logic, and metadata fields including ATT&CK technique IDs and severity level. The detection section uses field-value pairs, logical operators, and modifiers such as contains, endswith, and regex to define matching conditions. Sigma backends (converters) translate the YAML into platform-specific queries. The Sigma community maintains a public rule repository with thousands of detections covering Windows, Linux, network, and cloud telemetry. Teams fork this repository, add custom rules, and run the entire collection through CI pipelines to validate syntax and generate platform-ready queries.
Sigma eliminates vendor lock-in for detection content. When organizations migrate SIEM platforms, their detection library migrates with them. It also enables community collaboration at scale -- a detection written by one team benefits every platform user. Sigma rules serve as living documentation of what an organization can detect, making gap analysis against ATT&CK straightforward and auditable.
CDA standardizes on Sigma as the primary detection authoring format across all Theater engagements. Every TID mission deliverable includes Sigma rules that clients can deploy regardless of their SIEM vendor. This ensures detection investments are portable, reusable, and aligned with CDA's vendor-neutral philosophy.
CDA Theater missions that address topics covered in this article.
Evidence collection and chain of custody ensure digital evidence maintains integrity and legal admissibility through forensically sound gathering techniques, cryptographic verification, and documented handling records.
Incident response plan development creates a structured, documented approach for handling cybersecurity incidents, defining roles, procedures, and communication protocols to enable rapid, coordinated response.
Written by CDA Editorial
Found an issue? Help improve this article.