gitwtfhub

wtf is sigma?

sigmahq/sigma — explained in plain English

Analysis updated 2026-06-24

10,433PythonAudience · ops devopsComplexity · 2/5Setup · moderate

TL;DR

A community collection of 3,000+ security detection rules in a vendor-neutral format, letting you convert one rule into the query language of any security monitoring platform you use.

Mindmap

mindmap
  root((repo))
    What it does
      Detection rule format
      Vendor-neutral YAML
      3000 plus rules
    Rule Types
      Generic attack detection
      Threat hunting
      Emerging threats
      Compliance checks
    How to Use
      Sigma CLI converter
      sigconverter.io
      SIEM backends
    Audience
      Security analysts
      DevOps teams

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Convert Sigma detection rules into your SIEM platform's query language using Sigma CLI to start detecting threats without writing queries from scratch.

REASON 2

Find pre-written detection rules for a specific attack technique and convert them to run in your existing security platform.

REASON 3

Run compliance checks by applying Sigma rules that flag log events violating CIS Controls or NIST frameworks.

REASON 4

Contribute a community detection rule that works across IBM QRadar, MISP, and other platforms without writing platform-specific queries.

What's in the stack?

PythonYAML

How it stacks up

sigmahq/sigmapwndbg/pwndbgprompt-toolkit/python-prompt-toolkit
Stars10,43310,42210,447
LanguagePythonPythonPython
Setup difficultymoderatemoderateeasy
Complexity2/53/52/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 30min

Requires Sigma CLI to convert rules, each target security platform needs its own backend package installed.

Wtf does this do

Sigma is an open format for writing detection rules that describe suspicious patterns in log files. When a company runs servers and applications, those systems produce logs, which are records of every action that happens. Security teams analyze those logs to look for signs of attackers or malware. The problem is that every security monitoring platform uses its own query language, so a detection rule written for one tool cannot be used in another. Sigma solves this by providing a common format: you write the rule once, then convert it to whatever language your particular security platform uses. This repository is the main collection of Sigma rules maintained by the community. It currently holds more than 3,000 detection rules organized into several categories. Generic detection rules look for behaviors associated with attack techniques regardless of who is doing the attacking. Threat hunting rules are broader and give security analysts a starting point for investigating suspicious patterns. Emerging threat rules cover specific, time-sensitive events like the exploitation of a freshly discovered vulnerability or an active attack campaign. Compliance rules help teams spot log events that indicate a violation of security frameworks like CIS Controls or NIST. The rules are written in YAML, which is a plain-text format that is meant to be readable by humans and machines alike. You can convert them to your platform's query language using a command-line tool called Sigma CLI or a web interface at sigconverter.io. A wide range of commercial and open-source security platforms already support Sigma rules directly, including IBM QRadar, MISP, and several others listed in the README. The project is community-driven and peer-reviewed, meaning rule submissions go through a review process before being accepted into the main repository.

Yoink these prompts

Prompt 1
I use Splunk for security monitoring. Help me use Sigma CLI to convert a Sigma rule from sigmahq/sigma that detects PowerShell download cradles into Splunk query language.
Prompt 2
Help me write a new Sigma detection rule in YAML format that flags when a Linux process runs with an unusual parent-child process relationship.
Prompt 3
I want to find all Sigma rules in the sigmahq/sigma repository that relate to ransomware behavior. Help me search the repo and understand the rule structure.
Prompt 4
Walk me through setting up Sigma CLI to batch-convert a folder of Sigma rules to Elastic SIEM query format.

Frequently asked questions

wtf is sigma?

A community collection of 3,000+ security detection rules in a vendor-neutral format, letting you convert one rule into the query language of any security monitoring platform you use.

What language is sigma written in?

Mainly Python. The stack also includes Python, YAML.

How hard is sigma to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is sigma for?

Mainly ops devops.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.