// the find
SigmaHQ/sigma
Main Sigma Rule Repository
Sigma is a vendor-neutral YAML rule format for describing log-based detections, paired with this repo's library of 3000+ community-maintained rules. Think YARA but for SIEM queries: you write one rule, convert it to Splunk SPL, Elasticsearch KQL, QRadar AQL, or 25 other backends. Aimed at detection engineers who want to write detections once and deploy them across different logging stacks.
The abstraction is genuinely well-designed — the logsource/category model cleanly separates 'what behavior' from 'which log source', which is exactly the right split. The rule corpus is substantial and actively maintained, with CI that runs regression tests against real .evtx samples (the regression_data/ directory), so rules aren't just syntactically valid, they actually match the events they claim to. The three-tier taxonomy (generic detections, threat hunting, emerging threats) is sensible — emerging threat rules have a natural expiry, generic ones don't, and the distinction forces contributors to think about longevity. Integration surface is wide: VirusTotal, Security Onion, IBM QRadar, MISP, LimaCharlie all consume it natively, which means the format has survived long enough to become a de facto standard.
Rule quality is uneven. With 3000+ rules across hundreds of contributors, false positive rates vary wildly — some rules are tight and battle-tested, others will fire constantly in any real enterprise. There's no per-rule FP rate or coverage data in the repo, so you're flying blind until you tune. The conversion layer (pySigma) is a separate project and backends lag; translating a rule to an unsupported backend means writing your own pipeline, which requires understanding both pySigma internals and your SIEM's query semantics — not trivial. Coverage is heavily Windows/Sysmon-skewed; Linux and cloud rules exist but are thinner, so if your environment is mostly Linux or multi-cloud you'll hit gaps fast. The Detection Rule License (DRL 1.1) is not OSI-approved and contains use restrictions that some commercial security products have historically found incompatible — worth a legal read before embedding in a product.