# sigmahq/sigma

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/sigmahq-sigma).**

10,136 stars · 2,549 forks · Python · other

## Links

- GitHub: https://github.com/SigmaHQ/sigma
- Homepage: https://sigmahq.io/
- awesome-repositories: https://awesome-repositories.com/repository/sigmahq-sigma.md

## Topics

`elasticsearch` `ids` `logging` `monitoring` `security` `siem` `signatures` `splunk` `sysmon`

## Description

Sigma is a suite of tools for defining generic log signatures and translating them for multiple backends. It provides a structured way to define malicious behavior and detection logic independently of any specific backend technology, acting as a translation engine that maps generic event fields and correlation logic to the proprietary query languages of security data lakes and SIEM platforms.

The project features a plugin-based multi-backend query generator that exports security detections into various database and log management formats. It also includes a threat framework mapping tool that generates coverage heatmaps by linking detection rule metadata to established security threat frameworks.

The system covers security log normalization, multi-stage attack correlation, and log-to-rule generation. It further supports the export of detection rules into threat intelligence platforms to centralize indicators and security logic.

## Tags

### Data & Databases

- [Query Translation Layers](https://awesome-repositories.com/f/data-databases/query-translation-layers.md) — Translates generic security detection rules into proprietary query languages for various SIEM and log management platforms.
- [SIEM](https://awesome-repositories.com/f/data-databases/query-translators/siem.md) — Converts standardized log-detection rules into proprietary query languages for various SIEM platforms. ([source](https://sigmahq.io/docs/guide/getting-started.html))
- [Multi-Backend Query Generators](https://awesome-repositories.com/f/data-databases/multi-backend-query-generators.md) — Exports security detections into multiple different database and log management formats via a plugin-based converter.
- [Query Generation Patterns](https://awesome-repositories.com/f/data-databases/query-optimization-patterns/query-generation-patterns.md) — Constructs complex search strings by iterating through logic operators defined in a standardized rule schema.

### Part of an Awesome List

- [SIEM Rule Converters](https://awesome-repositories.com/f/awesome-lists/data/security-logging-and-siem/siem-rule-converters.md) — Translates standardized security detection signatures into search queries for various SIEM and logging platforms.
- [Detection Engineering](https://awesome-repositories.com/f/awesome-lists/security/detection-engineering.md) — Uses a structured, standardized format to describe malicious behavior consistently across different log files. ([source](https://sigmahq.io/docs/guide/about.html))
- [Log-to-Signature Generators](https://awesome-repositories.com/f/awesome-lists/security/signature-rules/log-to-signature-generators.md) — Automatically creates formal detection signatures by converting provided log entries into structured rules. ([source](https://cdn.jsdelivr.net/gh/sigmahq/sigma@master/README.md))
- [Log Analysis Tools](https://awesome-repositories.com/f/awesome-lists/data/log-analysis-tools.md) — Generic signature format for SIEM detection rules.
- [Detection Content Libraries](https://awesome-repositories.com/f/awesome-lists/devtools/detection-content-libraries.md) — Provides a universal, platform-agnostic format for detection content.
- [Signature Rules](https://awesome-repositories.com/f/awesome-lists/security/signature-rules.md) — Generic signature format for detecting malicious events in logs.

### DevOps & Infrastructure

- [Security Event Correlation](https://awesome-repositories.com/f/devops-infrastructure/infrastructure-operations/infrastructure-event-correlation-tools/security-event-correlation.md) — Identifies complex attack sequences by specifying patterns where multiple events trigger within a set timeframe. ([source](https://sigmahq.io/docs/guide/faq.html))

### Security & Cryptography

- [Security Analytics Platforms](https://awesome-repositories.com/f/security-cryptography/security-analytics-platforms.md) — Maps generic event fields and correlation logic to the proprietary query languages of security data lakes.
- [Coverage Heatmaps](https://awesome-repositories.com/f/security-cryptography/cyber-threat-intelligence-maps/coverage-heatmaps.md) — Provides a utility to generate visual coverage heatmaps by linking detection rule metadata to established security threat frameworks.
- [Detection Coverage Heatmaps](https://awesome-repositories.com/f/security-cryptography/cyber-threat-intelligence-maps/detection-coverage-heatmaps.md) — Creates a visual heatmap of security coverage by mapping rule tags to threat frameworks. ([source](https://cdn.jsdelivr.net/gh/sigmahq/sigma@master/README.md))

### Software Engineering & Architecture

- [Schema Definition Languages](https://awesome-repositories.com/f/software-engineering-architecture/schema-definition-languages.md) — Employs a standardized YAML-based language to define detection logic independently of specific logging platforms.
- [Intermediate Representations](https://awesome-repositories.com/f/software-engineering-architecture/data-formats/intermediate-representations.md) — Implements an internal representation that bridges high-level detection logic and final backend-specific query formats.
- [Plugin-Based Architectures](https://awesome-repositories.com/f/software-engineering-architecture/software-architecture/architectural-patterns/plugin-module-systems/modular-plugin-architectures/plugin-based-architectures.md) — Uses a modular plugin architecture to map generic detection signatures to target-specific query syntaxes.

### System Administration & Monitoring

- [Log Field Mappings](https://awesome-repositories.com/f/system-administration-monitoring/log-ingestion/log-field-mappings.md) — Provides a translation layer that maps generic log fields to platform-specific identifiers across diverse data sources.

### Content Management & Publishing

- [Framework Coverage Mapping](https://awesome-repositories.com/f/content-management-publishing/metadata-tagging/framework-coverage-mapping.md) — Associates detection rules with external security frameworks by scanning metadata tags to generate coverage heatmaps.

### Development Tools & Productivity

- [Plugin Systems](https://awesome-repositories.com/f/development-tools-productivity/plugin-systems.md) — Provides a flexible plugin system for adding new security platform targets and customizing data conversion. ([source](https://sigmahq.io/docs/guide/getting-started.html))