{ "access": { "embargo": { "active": false, "reason": null }, "files": "public", "record": "public", "status": "open" }, "created": "2025-08-28T20:01:50.948842+00:00", "custom_fields": {}, "deletion_status": { "is_deleted": false, "status": "P" }, "files": { "count": 1, "enabled": true, "entries": { "SIGMA \u2013 A Universal Detection Rule Language From Basics To SIEM Integration v. 2.2.pdf": { "access": { "hidden": false }, "checksum": "md5:fc7377b740e097ce84048c2d6835aabd", "ext": "pdf", "id": "a06222b6-9b47-4ef3-8f32-22ec96da9a1d", "key": "SIGMA \u2013 A Universal Detection Rule Language From Basics To SIEM Integration v. 2.2.pdf", "links": { "content": "https://zenodo.org/api/records/16989643/files/SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/content", "iiif_api": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/full/full/0/default.png", "iiif_base": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf", "iiif_canvas": "https://zenodo.org/api/iiif/record:16989643/canvas/SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf", "iiif_info": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/info.json", "self": "https://zenodo.org/api/records/16989643/files/SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf" }, "metadata": { "height": 842, "width": 595 }, "mimetype": "application/pdf", "size": 950245, "storage_class": "L" } }, "order": [], "total_bytes": 950245 }, "id": "16989643", "is_draft": false, "is_published": true, "links": { "access": "https://zenodo.org/api/records/16989643/access", "access_grants": "https://zenodo.org/api/records/16989643/access/grants", "access_links": "https://zenodo.org/api/records/16989643/access/links", "access_request": "https://zenodo.org/api/records/16989643/access/request", "access_users": "https://zenodo.org/api/records/16989643/access/users", "archive": "https://zenodo.org/api/records/16989643/files-archive", "archive_media": "https://zenodo.org/api/records/16989643/media-files-archive", "communities": "https://zenodo.org/api/records/16989643/communities", "communities-suggestions": "https://zenodo.org/api/records/16989643/communities-suggestions", "doi": "https://doi.org/10.5281/zenodo.16989643", "draft": "https://zenodo.org/api/records/16989643/draft", "file_modification": "https://zenodo.org/api/records/16989643/file-modification", "files": "https://zenodo.org/api/records/16989643/files", "latest": "https://zenodo.org/api/records/16989643/versions/latest", "latest_html": "https://zenodo.org/records/16989643/latest", "media_files": "https://zenodo.org/api/records/16989643/media-files", "parent": "https://zenodo.org/api/records/16989642", "parent_doi": "https://doi.org/10.5281/zenodo.16989642", "parent_doi_html": "https://zenodo.org/doi/10.5281/zenodo.16989642", "parent_html": "https://zenodo.org/records/16989642", "preview_html": "https://zenodo.org/records/16989643?preview=1", "quota_increase": "https://zenodo.org/api/records/16989643/quota-increase", "request_deletion": "https://zenodo.org/api/records/16989643/request-deletion", "requests": "https://zenodo.org/api/records/16989643/requests", "reserve_doi": "https://zenodo.org/api/records/16989643/draft/pids/doi", "self": "https://zenodo.org/api/records/16989643", "self_doi": "https://doi.org/10.5281/zenodo.16989643", "self_doi_html": "https://zenodo.org/doi/10.5281/zenodo.16989643", "self_html": "https://zenodo.org/records/16989643", "self_iiif_manifest": "https://zenodo.org/api/iiif/record:16989643/manifest", "self_iiif_sequence": "https://zenodo.org/api/iiif/record:16989643/sequence/default", "thumbnails": { "10": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/full/%5E10,/0/default.jpg", "100": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/full/%5E100,/0/default.jpg", "1200": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/full/%5E1200,/0/default.jpg", "250": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/full/%5E250,/0/default.jpg", "50": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/full/%5E50,/0/default.jpg", "750": "https://zenodo.org/api/iiif/record:16989643:SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf/full/%5E750,/0/default.jpg" }, "versions": "https://zenodo.org/api/records/16989643/versions" }, "media_files": { "count": 1, "enabled": true, "entries": { "SIGMA \u2013 A Universal Detection Rule Language From Basics To SIEM Integration v. 2.2.pdf.ptif": { "access": { "hidden": true }, "ext": "ptif", "id": "938db54c-249a-4ca6-a521-8f5d24afa0f0", "key": "SIGMA \u2013 A Universal Detection Rule Language From Basics To SIEM Integration v. 2.2.pdf.ptif", "links": { "content": "https://zenodo.org/api/records/16989643/files/SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf.ptif/content", "self": "https://zenodo.org/api/records/16989643/files/SIGMA%20%E2%80%93%20A%20Universal%20Detection%20Rule%20Language%20From%20Basics%20To%20SIEM%20Integration%20v.%202.2.pdf.ptif" }, "metadata": null, "mimetype": "application/octet-stream", "processor": { "source_file_id": "a06222b6-9b47-4ef3-8f32-22ec96da9a1d", "status": "finished", "type": "image-tiles" }, "size": 0, "storage_class": "L" } }, "order": [], "total_bytes": 0 }, "metadata": { "creators": [ { "person_or_org": { "family_name": "Ciemski", "given_name": "Wojciech", "identifiers": [ { "identifier": "0009-0001-8367-5403", "scheme": "orcid" } ], "name": "Ciemski, Wojciech", "type": "personal" }, "role": { "id": "researcher", "title": { "de": "WissenschaftlerIn", "en": "Researcher" } } } ], "dates": [ { "date": "2025-08-28", "type": { "id": "submitted", "title": { "de": "Eingereicht", "en": "Submitted" } } } ], "description": "

SIGMA – A Universal Detection Rule Language: From Basics To SIEM Integration v.2.2 is a comprehensive guide to understanding, writing, and operationalizing Sigma detection rules. Sigma has become the de facto standard for expressing log-based detections in a SIEM-agnostic way, enabling analysts to “write once, detect everywhere.”

\n

This publication explains the evolution of Sigma (from early YAML prototypes to the current 2.0 specification), the anatomy of Sigma rules, and practical steps to create, validate, and test detections. It covers tooling such as pySigma and sigma-cli, and shows how Sigma rules can be translated and deployed across multiple platforms including Splunk, Elastic, IBM QRadar, and Microsoft Sentinel.

\n

Advanced chapters explore performance tuning, false positive reduction, contextual correlation, enrichment strategies, and QA workflows. Real-world detection scenarios such as malicious PowerShell, credential dumping, lateral movement, and ransomware kill-chains are included, with examples of Sigma rules and their equivalents in native SIEM languages.

\n

The guide is aimed at SOC analysts, detection engineers, and threat hunters, providing both theoretical foundations and actionable techniques to build reliable, portable detections across diverse environments.

", "identifiers": [ { "identifier": "https://securitybeztabu.pl", "scheme": "url" }, { "identifier": "https://www.linkedin.com/in/wojciech-ciemski", "scheme": "url" }, { "identifier": "https://securitybeyondtaboo.com", "scheme": "url" } ], "languages": [ { "id": "eng", "title": { "en": "English" } } ], "publication_date": "2025-08-28", "publisher": "Wojciech Ciemski", "references": [ { "reference": "https://graylog.org/post/the-ultimate-guide-to-sigma-rules/; https://attack.mitre.org/techniques/T1021/001/; https://blog.sigmahq.io/connecting-sigma-rule-sets-to-your-environment-with-processing-pipelines-4ee1bd577070; https://blog.sigmahq.io/how-to-validate-sigma-rules-with-github-actions-for-improved-security-monitoring-3d23a23803ff; https://blog.sigmahq.io/introducing-sigma-filters-204bd896273; https://blog.sigmahq.io/introducing-sigma-specification-v2-0-25f81a926ff0; https://blog.sigmahq.io/sigmahq-rules-release-highlights-r2024-03-26-50b086b2f540; https://blog.sigmahq.io/sigmahq-rules-release-highlights-r2024-05-13-237ed77459bf; https://blog.sigmahq.io/sigma-rule-repository-enhancements-new-folder-structure-rule-types-30adb70f5e10; https://cardinalops.com/blog/splunk-and-other-siem-detections-for-follina/; https://community.opentext.com/cybersec/threat-detect-response/f/discussions/105445/sigma-rules-guide-threat-hunting-for-esm-arcsight-command-center-and-logger; https://cymulate.com/blog/cymulates-sigma-rules/; https://detection.fyi/mbabinski/sigma-rules/2024_redcanary_threatdetectionreport/technique_powershell_encoded_command/; https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_lsass_default_dump_file_names/; https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz/; https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_msra_process_injection/; https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag/; https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass/; https://docs.alphasoc.com/detections_and_findings/sigma_custom/; https://enescayvarli.medium.com/sigma-rules-to-splunk-from-detection-logic-to-real-time-alerts-c1c8900ca660; https://github.com/SigmaHQ/pySigma; https://github.com/SigmaHQ/sigma; https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide/97c55ea762e775787c1f38a623a8ae12de94253b; https://graylog.org/post/sigma-specification-2-0-what-you-need-to-know/; https://marketplace.visualstudio.com/items?itemName=humpalum.sigma; https://medium.com/@Architekt.exe/writing-your-first-sigma-rule-5ed783c87570; https://medium.com/@balasubramanya.c/advanced-guide-to-sigma-rules-for-elastic-siem-web-server-log-analysis-3fd595c9e74d; https://medium.com/@imanvanpersien/mitre-att-ck-framework-as-a-standard-for-developing-siem-use-cases-d7dc7db4e1ba; https://micahbabinski.medium.com/creating-a-sigma-backend-for-fun-and-no-profit-ed16d20da142; https://pypi.org/project/pySigma/; https://readsecurity.medium.com/powerful-powershell-commands-to-monitor-for-attack-detections-2397b4f154d1; https://securitybeztabu.pl/sigma-uniwersalny-jezyk-regul-detekcji-czesc-1/; https://securitybeztabu.pl/sigma-uniwersalny-jezyk-regul-detekcji-czesc-2/; https://sigmahq.io/docs/basics/conditions.html; https://sigmahq.io/docs/basics/log-sources.html; https://sigmahq.io/docs/basics/modifiers.html; https://sigmahq.io/docs/basics/rules.html; https://sigmahq.io/docs/digging-deeper/backends; https://sigmahq.io/docs/guide/about; https://sigmahq.io/docs/guide/getting-started.html; https://sigmahq.io/docs/meta/; https://socprime.com/blog/uncoder-ai-automates-mitre-attck-tagging-in-sigma-rules/; https://www.logpoint.com/en/blog/how-to-use-logpoint-pysigma-backend-for-threat-detection/; https://www.nextron-systems.com/2018/02/10/write-sigma-rules/; https://www.picussecurity.com/resource/detection-and-prevention-in-the-late-phase-of-the-ransomware-attacks; https://www.reddit.com/r/QRadar/comments/13179z9/ho_to_fix_field_does_not_exist_in_catalog_events/" } ], "resource_type": { "id": "publication-report", "title": { "de": "Bericht", "en": "Report" } }, "rights": [ { "description": { "en": "The Creative Commons Attribution license allows re-distribution and re-use of a licensed work on the condition that the creator is appropriately credited." }, "icon": "cc-by-icon", "id": "cc-by-4.0", "props": { "scheme": "spdx", "url": "https://creativecommons.org/licenses/by/4.0/legalcode" }, "title": { "en": "Creative Commons Attribution 4.0 International" } } ], "subjects": [ { "subject": "Cybersecurity" }, { "subject": "Sigma rules" }, { "subject": "Detection engineering" }, { "subject": "SIEM integration" }, { "subject": "Threat detection" }, { "subject": "Log analysis" }, { "subject": "Splunk" }, { "subject": "Elastic Stack" }, { "subject": "IBM QRadar" }, { "subject": "Microsoft Sentinel" }, { "subject": "SOC operations" }, { "subject": "MITRE ATT&CK" }, { "subject": "Threat hunting" } ], "title": "SIGMA \u2013 A Universal Detection Rule Language From Basics To SIEM Integration", "version": "2.2" }, "parent": { "access": { "owned_by": { "user": "1382043" }, "settings": { "accept_conditions_text": null, "allow_guest_requests": false, "allow_user_requests": false, "secret_link_expiration": 0 } }, "communities": {}, "id": "16989642", "pids": { "doi": { "client": "datacite", "identifier": "10.5281/zenodo.16989642", "provider": "datacite" } } }, "pids": { "doi": { "client": "datacite", "identifier": "10.5281/zenodo.16989643", "provider": "datacite" }, "oai": { "identifier": "oai:zenodo.org:16989643", "provider": "oai" } }, "revision_id": 10, "stats": { "all_versions": { "data_volume": 141586505.0, "downloads": 149, "unique_downloads": 116, "unique_views": 812, "views": 842 }, "this_version": { "data_volume": 141586505.0, "downloads": 149, "unique_downloads": 116, "unique_views": 812, "views": 842 } }, "status": "published", "swh": {}, "updated": "2025-08-28T20:47:48.297390+00:00", "versions": { "index": 1, "is_latest": true } }