Skip to content

Instantly share code, notes, and snippets.

@joswr1ght

joswr1ght/sigma.md

Created January 24, 2026 14:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save joswr1ght/68054955c7c8f48d470d8b73712fadc1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save joswr1ght/68054955c7c8f48d470d8b73712fadc1 to your computer and use it in GitHub Desktop.
Download ZIP
Claude Code Skill for Building Sigma Rules (copy to .claude/commands, invoke with /sigma)
Raw
sigma.md
description
Generate Sigma detection rules from attack descriptions or observed artifacts

Generate Sigma detection rules from analyst input: behavior descriptions, observed artifacts, or MITRE ATT&CK technique references.

Process

  1. Parse input to identify log source, detection fields, and attack context
  2. Map to log source using the table below
  3. Build detection logic with selection criteria, optional filters, and condition
  4. Generate complete YAML with metadata, tags, and false positive notes
  5. Provide context including conversion commands for target SIEMs

Use defaults when not specified: status experimental, level medium, author Falsimentis IR Team.

Log Source Reference

Behavior Product Category
Process execution windows process_creation
PowerShell windows ps_script
File events windows file_event
Registry windows registry_event
Network windows network_connection
Linux processes linux process_creation
AWS aws cloudtrail

Output Template

title: <Descriptive title>
id: <UUID>
status: experimental
description: <Detection purpose>
references:
    - <MITRE ATT&CK or relevant URL>
author: IR Team
date: YYYY/MM/DD
tags:
    - attack.<tactic>
    - attack.<technique_id>
logsource:
    product: <product>
    category: <category>
detection:
    selection:
        <field>: <value>
    condition: selection
falsepositives:
    - <Legitimate scenarios>
level: medium

Example

Input: /sigma outlook.exe spawning cmd.exe or powershell.exe

title: Email Client Spawning Command Shell
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects Outlook spawning command interpreters, indicating possible malicious attachment execution.
references:
    - https://attack.mitre.org/techniques/T1204/002/
author: IR Team
date: 2025/01/24
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\outlook.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate Outlook add-ins
level: high
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment