Name: Building Detection Rules With Sigma
Author: mukul975

When to Use

Use this skill when:

SOC engineers need to create detection rules portable across multiple SIEM platforms
Threat intelligence reports describe TTPs requiring new detection coverage
Existing vendor-specific rules need standardization into a shareable format
The team adopts Sigma as a detection-as-code standard in CI/CD pipelines

Do not use for real-time streaming detection (Sigma is for batch/scheduled searches) or when the target SIEM has native detection features that Sigma cannot express (e.g., Splunk RBA risk scoring).

Prerequisites

Python 3.8+ with pySigma and appropriate backend (pySigma-backend-splunk, pySigma-backend-elasticsearch, pySigma-backend-microsoft365defender)
Sigma rule repository cloned: git clone https://github.com/SigmaHQ/sigma.git
MITRE ATT&CK framework knowledge for technique mapping
Understanding of target SIEM log source field mappings

Workflow

When to Use

Use this skill when:

SOC engineers need to create detection rules portable across multiple SIEM platforms
Threat intelligence reports describe TTPs requiring new detection coverage
Existing vendor-specific rules need standardization into a shareable format
The team adopts Sigma as a detection-as-code standard in CI/CD pipelines

Prerequisites

Python 3.8+ with pySigma and appropriate backend (pySigma-backend-splunk, pySigma-backend-elasticsearch, pySigma-backend-microsoft365defender)
Sigma rule repository cloned: git clone https://github.com/SigmaHQ/sigma.git
MITRE ATT&CK framework knowledge for technique mapping
Understanding of target SIEM log source field mappings

Building Detection Rules With Sigma

When to Use

Prerequisites

Workflow

Building Detection Rules With Sigma

When to Use

Prerequisites

Workflow

Step 1: Define Detection Logic from Threat Intelligence

Sessions

Docker Patterns

Autonomous Loops

Kotlin Patterns

Eval Harness

Golang Patterns