detection-sigma

Solid

Generic detection rule creation and management using Sigma, the universal SIEM rule format. Sigma provides vendor-agnostic detection logic for log analysis across multiple SIEM platforms. Use when: (1) Creating detection rules for security monitoring, (2) Converting rules between SIEM platforms (Splunk, Elastic, QRadar, Sentinel), (3) Threat hunting with standardized detection patterns, (4) Building detection-as-code pipelines, (5) Mapping detections to MITRE ATT&CK tactics, (6) Implementing compliance-based monitoring rules.

Data & Documents 335 stars 29 forks Updated today

Install

View on GitHub

Quality Score: 85/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

Description 5%

100

Skill Content

# Sigma Detection Engineering ## Overview Sigma is to log detection what Snort is to network traffic and YARA is to files - a universal signature format for describing security-relevant log events. This skill helps create, validate, and convert Sigma rules for deployment across multiple SIEM platforms, enabling detection-as-code workflows. **Core capabilities**: - Create detection rules using Sigma format - Convert rules to 25+ SIEM/EDR backends (Splunk, Elastic, QRadar, Sentinel, etc.) - Validate rule syntax and logic - Map detections to MITRE ATT&CK framework - Build threat hunting queries - Implement compliance-based monitoring ## Quick Start ### Install Dependencies ```bash pip install pysigma pysigma-backend-splunk pysigma-backend-elasticsearch pyyaml ``` ### Create a Basic Sigma Rule ```yaml title: Suspicious PowerShell Execution id: 7d6d30b8-5b91-4b90-a71e-4f5a3f5a3c3f status: experimental description: Detects suspicious PowerShell execution with encoded commands references: - https://attack.mitre.org/techniques/T1059/001/ author: Your Name date: YYYY/MM/DD modified: YYYY/MM/DD tags: - attack.execution - attack.t1059.001 logsource: category: process_creation product: windows detection: selection: Image|endswith: '\powershell.exe' CommandLine|contains: - '-enc' - '-EncodedCommand' - 'FromBase64String' condition: selection falsepositives: - Legitimate administrative scripts level:...

Details

Author: aiskillstore
Repository: aiskillstore/marketplace
Created: 5 months ago
Last Updated: today
Language: Python
License: None

Integrates with

Elasticsearch · Database

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

building-detection-rules-with-sigma

Builds vendor-agnostic detection rules using the Sigma rule format for threat detection across SIEM platforms including Splunk, Elastic, and Microsoft Sentinel. Use when creating portable detection logic from threat intelligence, mapping rules to MITRE ATT&CK techniques, or converting community Sigma rules into platform-specific queries using sigmac or pySigma backends.

13,115 Updated today

mukul975

AI & Automation Listed

building-detection-rules-with-sigma

6 Updated yesterday

26zl

AI & Automation Solid

opensearch-detection-engineer

OpenSearch detection engineering: SIGMA authoring, query DSL translation, MITRE ATT&CK mapping, anomaly detection, correlation rules, SOC incident escalation. Use for SIEM detection authoring, threshold tuning, alert validation, and Tier-1/Tier-2 escalation workflows.

392 Updated today

notque

AI & Automation Featured

building-detection-rule-with-splunk-spl

Build effective detection rules using Splunk Search Processing Language (SPL) correlation searches to identify security threats in SOC environments.

13,115 Updated today

mukul975

AI & Automation Featured

implementing-siem-correlation-rules-for-apt

Write multi-event correlation rules that detect APT lateral movement by chaining Windows authentication events, process execution telemetry, and network connection logs across hosts. Uses Splunk SPL and Sigma rule format to correlate Event IDs 4624, 4648, 4688, and Sysmon Events 1/3 within sliding time windows to surface attack sequences invisible to single-event detections.

13,115 Updated today

mukul975