finds.dev← search

// the find

SigmaHQ/sigma

★ 10,740 · Python · NOASSERTION · updated Jul 2026

Main Sigma Rule Repository

Sigma is a vendor-neutral YAML rule format for describing log-based detections, paired with this repo's library of 3000+ community-maintained rules. Think YARA but for SIEM queries: you write one rule, convert it to Splunk SPL, Elasticsearch KQL, QRadar AQL, or 25 other backends. Aimed at detection engineers who want to write detections once and deploy them across different logging stacks.

The abstraction is genuinely well-designed — the logsource/category model cleanly separates 'what behavior' from 'which log source', which is exactly the right split. The rule corpus is substantial and actively maintained, with CI that runs regression tests against real .evtx samples (the regression_data/ directory), so rules aren't just syntactically valid, they actually match the events they claim to. The three-tier taxonomy (generic detections, threat hunting, emerging threats) is sensible — emerging threat rules have a natural expiry, generic ones don't, and the distinction forces contributors to think about longevity. Integration surface is wide: VirusTotal, Security Onion, IBM QRadar, MISP, LimaCharlie all consume it natively, which means the format has survived long enough to become a de facto standard.

Rule quality is uneven. With 3000+ rules across hundreds of contributors, false positive rates vary wildly — some rules are tight and battle-tested, others will fire constantly in any real enterprise. There's no per-rule FP rate or coverage data in the repo, so you're flying blind until you tune. The conversion layer (pySigma) is a separate project and backends lag; translating a rule to an unsupported backend means writing your own pipeline, which requires understanding both pySigma internals and your SIEM's query semantics — not trivial. Coverage is heavily Windows/Sysmon-skewed; Linux and cloud rules exist but are thinner, so if your environment is mostly Linux or multi-cloud you'll hit gaps fast. The Detection Rule License (DRL 1.1) is not OSI-approved and contains use restrictions that some commercial security products have historically found incompatible — worth a legal read before embedding in a product.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →