Module 3: Sigma — The Portable Core

Write, convert, and deploy Sigma detection rules — the vendor-agnostic language that works across every SIEM.

Tools:SigmaWazuh
3
Lessons
2
Hands-on Labs

Lessons & Labs

Lesson 3.1 — The Sigma Language

Syntax deep-dive — logsource, detection, condition operators, and the full Sigma specification.

Lab 3.1 — Write Your First Sigma Rule

Write a Sigma rule from scratch targeting a specific Windows event pattern, validate syntax with sigma-cli, and test against sample data.

Intermediate

Lesson 3.2 — Writing Production Sigma Rules

From hypothesis to tested rule — metadata standards, naming conventions, and quality gates.

Lab 3.2 — Convert and Validate in Wazuh

Convert Sigma rules to OpenSearch queries using sigma-cli, deploy them in the Wazuh environment, and verify they fire on the expected alerts.

Intermediate

Lesson 3.3 — Converting and Deploying Sigma

sigma-cli pipelines, backend targets (opensearch, splunk, elastic), and deployment workflows.