How to Write Sigma Rules for Threat Detection

A Sigma rule is a YAML document with a defined schema. Understanding every field is prerequisite to writing rules that convert correctly and fire with appropriate fidelity.

The metadata fields — title, id, status, description, references, author, date, modified, tags, and logsource — define what the rule detects and provide context for the analyst receiving the alert. The title should be specific enough to explain the threat at a glance: 'Mimikatz LSASS Memory Access via OpenProcess' is useful; 'Malware Detected' is not. The status field uses a defined vocabulary: stable (production-ready, well-tested), test (deployed but under validation), experimental (new rule, expect false positives), deprecated (replaced by a better rule), or unsupported (platform-specific limitations). The tags field maps to MITRE ATT&CK technique IDs in the format attack.t1003.001 — this mapping is what enables ATT&CK coverage heatmap generation from your deployed rule set.

The logsource block specifies which log category the rule operates against. It uses three fields: category (the log type, such as process_creation, network_connection, or file_event), product (the platform, such as windows, linux, or aws), and service (the specific service within the product, such as security, sysmon, or cloudtrail). The logsource block is what sigma-cli uses to select the correct field mappings when converting to a target SIEM.

The detection block is the core of the rule. It contains named selection blocks that define the conditions to match, and a condition expression that combines those blocks with logical operators. The falsepositives field documents known legitimate sources of rule triggering — this is critical for analyst context and suppression planning. The level field uses a five-value scale: informational, low, medium, high, or critical — and should reflect the likelihood of true positive combined with potential business impact.

The detection block syntax supports three matching primitives that combine to cover most detection scenarios.

Keyword matching searches for strings anywhere in the log record without specifying a field name: useful for catching specific command-line strings or error messages that appear in variable fields across log formats. Field-value matching binds a condition to a specific field: CommandLine contains 'mimikatz' limits the match to the CommandLine field, not the entire event. Field-value matching is more precise and produces fewer false positives than keyword matching.

Value modifiers extend field-value matching with additional match logic: contains checks for substring presence (CommandLine|contains: 'sekurlsa'); startswith and endswith match positional strings; re applies a regular expression; all requires every item in a list to match (the default is any — matching any item in the list is sufficient). Negation uses the not keyword in the condition expression: filter_legitimate handles allowlisting by defining a selection that, when matched, excludes the event.

Aggregation conditions enable threshold-based detection across time windows — essential for detecting techniques like Kerberoasting that are characterized by volume rather than a single event. The syntax uses the count, sum, min, max, and avg aggregation functions with a by grouping field and a timeframe. A Kerberoasting rule might aggregate: count() by Computer > 30 within 5m — flagging when more than 30 Kerberos service ticket requests occur from a single host within five minutes.

The condition expression combines named selections with and, or, not, and parentheses. The most common pattern is (selection and not filter): define what you want to detect in selection, define known false positive sources in filter, then require the detection to match while the filter does not.

The following Sigma rule detects PsExec-based lateral movement by identifying the PSEXESVC service installation on a target system. PsExec creates this service on the remote host when executing commands, producing a distinctive sequence of events that this rule captures via Windows Security Event ID 7045.

The rule targets the windows/system logsource (Event ID 7045 — Service Installed), with a selection block requiring the ServiceName field to contain 'PSEXESVC' and the ServiceFileName to reference admin shares (ADMIN$ or C$). The filter block excludes known-legitimate deployment from authorized IT administration IP ranges, which must be populated with your environment's actual admin subnets.

Key tuning notes for this rule: the ServiceName match alone produces very few false positives in environments where PsExec is not a sanctioned administration tool. If PsExec is used legitimately by IT teams, the filter block must enumerate their source addresses to avoid suppressing legitimate detections entirely. Set status to stable after validating against 30 days of historical data. Tag with attack.t1021.002 (Remote Services: SMB/Windows Admin Shares) and attack.s0029 (PsExec software reference). Level should be high for environments where PsExec is not an authorized tool; medium where it is used legitimately by IT.

Mimikatz is the most widely used credential dumping tool in enterprise intrusions. Its primary execution path accesses the Local Security Authority Subsystem Service (LSASS) process memory to extract plaintext credentials, password hashes, and Kerberos tickets. Sysmon Event ID 10 (ProcessAccess) captures this access with the GrantedAccess rights field indicating what permissions were requested.

The detection block for this rule uses two complementary approaches: GrantedAccess value matching for the specific access rights Mimikatz requests (0x1010, 0x1038, 0x143a — hexadecimal values corresponding to PROCESS_VM_READ plus additional access rights used by sekurlsa and lsadump modules) combined with a TargetImage endswith filter for lsass.exe. Using GrantedAccess values rather than just TargetImage reduces false positives from legitimate processes that access LSASS for non-credential-related reasons (security software, backup agents, Windows Defender).

A supplementary detection uses CallTrace field matching for known Mimikatz memory load patterns — specifically the presence of unknown memory regions (indicated by a CallTrace containing 'UNKNOWN' strings) in the call chain from a process accessing LSASS. This catches reflective loading and in-memory execution of Mimikatz variants that do not write to disk.

Set level to high. False positives are rare: the specific GrantedAccess value combination is characteristic of credential dumping tooling. Common legitimate false positive sources include some endpoint security products that access LSASS for protection purposes — these should be identified during tuning and added to the filter block by process name.

sigma-cli is the official command-line tool for converting Sigma rules to SIEM-native query languages. It replaces the deprecated sigmac tool and supports the current pySigma backend architecture.

Install sigma-cli with pip install sigma-cli. Install the backend for your target SIEM: sigma plugin install splunk installs the Splunk backend; sigma plugin install microsoft365defender installs the Defender/Sentinel backend; sigma plugin install elasticsearch installs the Elastic backend.

Convert a single rule to Splunk SPL: sigma convert -t splunk -p splunk_windows rule.yml. The -p flag selects the pipeline, which provides the field name mappings for your specific log source configuration. Pipeline selection is critical: a rule converted with the wrong pipeline produces queries that reference field names that do not exist in your SIEM index, generating no results rather than an error.

For bulk conversion of the entire SigmaHQ repository: clone the sigma repository, then run sigma convert -t splunk -p splunk_windows -r rules/windows/ to recursively convert all Windows rules. Filter the output by status (stable only for production) and level (high and critical for initial deployment) to avoid deploying hundreds of experimental rules simultaneously.

Integrate Sigma into your CI/CD pipeline by running sigma convert as a pre-deployment step that validates rule syntax and generates platform-specific detection content from a single source-of-truth rule file. Store Sigma rules in git, review changes via pull request, and deploy converted queries to your SIEM via API.

Production Sigma rules require environment-specific tuning that no community rule can provide out of the box. The tuning process follows a standard pattern: deploy the rule in audit mode (log matches without alerting), collect 14 days of matches, categorize matches as true positives or false positives, build filter selections for known false positive sources, then promote to alerting mode.

The most valuable tuning investment is building environment-specific pipeline files that reflect your actual field names and log source configuration. Sigma's pipeline abstraction means a rule that converts correctly for one Splunk deployment may need field mapping adjustments for another if log source configurations differ.

Contributing rules back to SigmaHQ benefits the community and improves rule quality through peer review. The contribution workflow: fork the SigmaHQ/sigma repository on GitHub, add your rule in the appropriate directory following naming conventions, ensure the rule passes sigma-cli validation (sigma check rule.yml), and open a pull request with a description of what the rule detects, why the detection conditions were chosen, and what false positive sources were observed during testing. Rules accepted into the main repository receive broader testing across community deployments, improving confidence and identifying edge cases faster than single-environment testing.