Sigma is an open, vendor-agnostic signature format for describing log events and detection rules. Sigma rules are written in YAML and can be converted (transpiled) into queries for virtually any SIEM platform -- Splunk SPL, Elastic KQL, Microsoft Sentinel KQL, and dozens more. This portability makes Sigma the lingua franca of detection engineering, allowing security teams to share, reuse, and maintain detection logic independently of their technology stack.
A Sigma rule consists of a title, description, log source definition, detection logic, and metadata fields including ATT&CK technique IDs and severity level. The detection section uses field-value pairs, logical operators, and modifiers such as contains, endswith, and regex to define matching conditions. Sigma backends (converters) translate the YAML into platform-specific queries. The Sigma community maintains a public rule repository with thousands of detections covering Windows, Linux, network, and cloud telemetry. Teams fork this repository, add custom rules, and run the entire collection through CI pipelines to validate syntax and generate platform-ready queries.
Sigma eliminates vendor lock-in for detection content. When organizations migrate SIEM platforms, their detection library migrates with them. It also enables community collaboration at scale -- a detection written by one team benefits every platform user. Sigma rules serve as living documentation of what an organization can detect, making gap analysis against ATT&CK straightforward and auditable.
CDA standardizes on Sigma as the primary detection authoring format across all Theater engagements. Every TID mission deliverable includes Sigma rules that clients can deploy regardless of their SIEM vendor. This ensures detection investments are portable, reusable, and aligned with CDA's vendor-neutral philosophy.