Skip to content

Rule Creation High‐Level Guide

Jump to bottom
Nasreddine Bencherchali edited this page Nov 19, 2025 · 3 revisions

Rule Creation High-Level Guide

Sigma is a generic and open signature format for SIEM systems and log analysis tools. This guide provides a quick reference for creating Sigma rules that align with our community standards.

Rule Structure

A Sigma rule consists of metadata fields, a log source definition, and detection logic. Use an existing rule as a template when possible.

title: Title
id: 12345678-1234-1234-1234-123456789abc
status: experimental
description: Detects [specific behavior or technique]
references:
    - https://example.com/reference
tags:
    - attack.execution
    - attack.t1059
author: Your Name
date: 2025-11-19
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        FieldName: 'Value'
        FieldName|modifier: 'Value'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: medium

Rule Components

A Sigma rule is composed of multiple key components such as title, id, status, description, references, tags, author, date, logsource, detection, falsepositives, and level.

For a detailed explanation of each component and the latest updates, refer to the Sigma Rule Specification documentation.

Rule Creation Best Practices

  • Clarity is King: Use clear, concise and accurate language in the title and description that reflects the rule's purpose.
  • Generic Rules FTW: Sigma favors generic rules that can detect different variations of known and future unknown techniques. So when you create rules, aim for broad applicability rather than overly specific conditions. While keeping in mind false positives rates.
  • Always Validate: Validate your rules against using available Sigma tools to ensure they conform to the specification and function as intended.
  • Follow Conventions: Follow established conventions as described in the SigmaHQ Convention Files.

Tools

Visual Studio Code Extension

We highly recommend using Visual Studio Code with the official Sigma Extension developed by the SigmaHQ team.

The Sigma extension provides:

  • Syntax Highlighting: Color-coded syntax for better readability
  • Auto-completion: Intelligent suggestions for field names, modifiers, and values
  • Validation: Real-time validation against the Sigma specification
  • Snippets: Quick templates for common detection patterns

Clone this wiki locally