CyberBlue Academy — Blue Team & SOC Training

What You'll Learn

Identify and explain every field in a Sigma rule: title, id, status, description, references, author, date, logsource, detection, fields, falsepositives, level, and tags
Write a syntactically correct Sigma rule in YAML format from scratch
Explain how the logsource section determines which logs a rule evaluates
Construct detection logic using selection, filter, and condition keywords
Map Sigma severity levels and ATT&CK tags to real-world alert prioritization
Read and interpret the Sigma rules pre-installed in the lab at /opt/sigma-rules/

The Sigma Rule — Field by Field

In Lesson 8.1, you saw a complete Sigma rule and understood its purpose. Now you need to understand every field, what it controls, and how to write each one correctly. By the end of this lesson, you will be able to read any rule in the 3,000+ SigmaHQ repository fluently.

A Sigma rule is a YAML document with a defined schema. Here is a complete rule with every field annotated:

title: Suspicious PowerShell Encoded Command
id: f4b89c3a-7e2d-4d91-8f1a-3c5e9b0a2d4f
status: test
description: |
    Detects PowerShell execution with encoded command parameter,
    commonly used by attackers to obfuscate malicious scripts.
references:
    - https://attack.mitre.org/techniques/T1059/001/
    - https://docs.microsoft.com/en-us/powershell/
author: CyberBlue Academy
date: 2026/02/23
modified: 2026/02/23
logsource:
    category: process_creation
    product: windows
detection:
    selection_process:
        Image|endswith: '\\powershell.exe'
    selection_args:
        CommandLine|contains:
            - '-EncodedCommand'
            - '-enc'
            - '-e '
            - '-ec '
    condition: selection_process and selection_args
fields:
    - Image
    - CommandLine
    - ParentImage
    - User
falsepositives:
    - Legitimate administrative scripts using encoded commands
    - Software deployment tools
level: high
tags:
    - attack.execution
    - attack.t1059.001

Let's break down every section.

Metadata Fields

The top block of every Sigma rule provides context about the rule itself — who wrote it, when, and why.

title (required)

A short, descriptive name for the detection. This appears in alert dashboards, so make it immediately understandable:

Good Title	Bad Title
Suspicious PowerShell Encoded Command	PS Rule 1
Mimikatz Credential Dumping via LSASS	Mimikatz
Brute Force — 5 Failed Logons in 5 Minutes	Auth Check

id (required)

A UUID that uniquely identifies this rule globally. Use uuidgen on the command line or any UUID generator. The ID never changes once published — even if the rule is modified.

status (required)

Indicates the maturity of the rule:

Status	Meaning
`stable`	Production-ready, well-tested, low false positive rate
`test`	Under testing, may generate false positives
`experimental`	New rule, needs validation in multiple environments
`deprecated`	Superseded by a better rule — do not use
`unsupported`	Cannot be converted to most backends

description

A longer explanation of what the rule detects and why it matters. Use the pipe (|) in YAML for multi-line descriptions.

references

URLs to threat reports, ATT&CK technique pages, blog posts, or documentation that explain the attack technique this rule detects. Critical for analysts who need to understand the context behind an alert.

author and date/modified

Who wrote the rule and when. The modified field tracks the last update. In SigmaHQ, this helps you identify stale rules that may need review.

The logsource Section

The logsource section tells Sigma which type of log this rule should evaluate. This is what makes Sigma vendor-neutral — instead of specifying a Wazuh index or a Splunk source type, you describe the log category abstractly.

logsource:
    category: process_creation
    product: windows
    service: sysmon

Three fields define the log source:

Field	Purpose	Examples
`category`	The type of activity being logged	`process_creation`, `network_connection`, `file_event`, `dns_query`, `image_load`, `registry_event`
`product`	The operating system or platform	`windows`, `linux`, `macos`, `aws`, `azure`, `gcp`
`service`	The specific log provider (optional)	`sysmon`, `security`, `system`, `powershell`, `dns`

ℹ

The logsource is the most important field for conversion. When you run sigma convert, the tool maps your abstract logsource to the concrete log source in your target SIEM. If the mapping does not exist, the conversion fails. For example, category: process_creation maps to Sysmon Event ID 1 in Windows, auditd process exec on Linux, or the corresponding Wazuh decoder. Understanding logsource mappings is essential for troubleshooting conversion issues in Lab 8.4.

The detection Section

This is the heart of every Sigma rule — the logic that determines when the rule fires. The detection section uses three concepts: selections, filters, and a condition that combines them.

Selections

A selection is a set of field-value matches. When all fields in a selection match a log event, the selection is true.

detection:
    selection:
        Image|endswith: '\\schtasks.exe'
        CommandLine|contains: '/create'

This selection matches any log event where the Image field ends with \schtasks.exe AND the CommandLine field contains /create.

Field Modifiers

Sigma provides modifiers that control how field values are matched:

Modifier	Meaning	Example
`	contains`	Field contains the value as a substring
`	endswith`	Field ends with the value
`	startswith`	Field starts with the value
`	re`	Regular expression match
`	all`	All values in a list must match (AND logic)
`	base64`	Match Base64-encoded version of the value
(none)	Exact match	`EventID: 1`

Multiple Selections

You can define multiple named selections and combine them in the condition:

detection:
    selection_process:
        Image|endswith: '\\powershell.exe'
    selection_args:
        CommandLine|contains:
            - '-EncodedCommand'
            - '-enc'
    filter_admin:
        User: 'SYSTEM'
        ParentImage|endswith: '\\sccm.exe'
    condition: (selection_process and selection_args) and not filter_admin

The condition Field

The condition is a Boolean expression that combines selections and filters:

Operator	Meaning	Example
`and`	Both must be true	`selection_process and selection_args`
`or`	Either can be true	`selection_file or selection_registry`
`not`	Negation	`not filter_admin`
`1 of selection_*`	Any one of the named selections prefixed with `selection_`	`1 of selection_*`
`all of selection_*`	All named selections must match	`all of selection_*`

💡

The pattern selection and not filter is the most common Sigma condition. The selection catches the suspicious activity. The filter excludes known-good activity. You will use this pattern in almost every rule you write in Labs 8.2–8.5.

Severity, Tags, and Output Fields

level

The severity level determines how urgently analysts should respond:

Level	Meaning	Typical Action
`informational`	Context only, not suspicious by itself	Log for enrichment, no alert
`low`	Minor anomaly, possibly benign	Review during daily checks
`medium`	Suspicious, warrants investigation	Investigate within 4 hours
`high`	Likely malicious, requires prompt response	Investigate within 1 hour
`critical`	Active compromise, immediate action needed	Investigate immediately

fields

A list of log fields that should be included in the alert output. These help analysts triage faster by showing relevant context without opening the raw log:

fields:
    - Image
    - CommandLine
    - ParentImage
    - User
    - Computer

falsepositives

Known scenarios where this rule might fire on legitimate activity. This field serves as documentation for analysts — when they see the alert, they can check these scenarios before escalating.

Sigma detection logic — selections, filters, conditions, and how they combine to create precise detections

Key Takeaways

Every Sigma rule is a YAML document with metadata (title, id, status, author), logsource (what logs to evaluate), detection (the matching logic), and context (level, tags, falsepositives)
The logsource section is the key to Sigma's portability — it abstracts log sources so the same rule works across SIEMs
Selections define what to look for using field-value pairs with modifiers like |contains, |endswith, and |startswith
The condition combines selections and filters using Boolean logic: selection and not filter is the most common pattern
Field modifiers (|contains, |endswith, |all, |re, |base64) control how values are matched against log fields
Severity levels (informational through critical) determine alert priority and analyst response time
ATT&CK tags link every detection to the MITRE framework for coverage mapping and correlation

What's Next

You now know the structure of every Sigma rule field by field. In Lesson 8.3, you will put this knowledge into practice by writing your first detections — rules for brute force attacks, suspicious process creation, and unusual service installations. Lab 8.2 has you write your first Sigma rule from scratch.

Knowledge Check: Sigma Rule Structure

10 questions · 70% to pass

In a Sigma rule, which section determines what type of log the rule evaluates?

What does the Sigma field modifier |endswith do?

What is the most common Sigma condition pattern used in detection rules?

A Sigma rule has status: test. What does this indicate?

In Lab 8.1, you will examine Sigma rules from /opt/sigma-rules/. Which logsource category would a rule use to detect a new process being started?

What is the purpose of the 'fields' section in a Sigma rule?

Which Sigma modifier would you use to match a command line that must contain BOTH '-enc' AND '-nop'?

A Sigma rule has level: high. According to the severity guidelines, how quickly should an analyst investigate this alert?

In Lab 8.2, you will write a brute force detection rule. What is the correct format for ATT&CK tags in a Sigma rule?

Why is the logsource section critical for Sigma rule conversion to different SIEM backends?

0/10 answered

Why Detection Engineering MattersPrevious Writing Your First DetectionNext