Detection rule packs

Downloads

26 ready-to-deploy packs · built 20260616-2347

The full Sigma detection corpus, machine-converted to each SIEM and EDR query language and packaged to deploy. Pick your platform below and import the pack straight into your tooling. The corpora we did not author - YARA, Falco, Suricata, MITRE CAR, and the raw Sigma YAML - are linked to their upstream sources rather than re-hosted.

◈

Ready-to-deploy packs

26 platforms

ClickHouse

3,734 rules · 1.4 MB · Detection Rule License (DRL) 1.1

Download .zip

CrowdStrike LogScale

3,706 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

Datadog Cloud SIEM

3,618 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

ElastAlert

3,731 rules · 2.0 MB · Detection Rule License (DRL) 1.1

Download .zip

Elastic (Lucene)

3,731 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

Elastic EQL

3,731 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

Elastic ES|QL

3,627 rules · 1.4 MB · Detection Rule License (DRL) 1.1

Download .zip

Google SecOps / Chronicle

3,728 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

Grafana Loki (LogQL)

3,740 rules · 1.5 MB · Detection Rule License (DRL) 1.1

Download .zip

IBM QRadar (AQL)

3,735 rules · 1.5 MB · Detection Rule License (DRL) 1.1

Download .zip

Logpoint

3,728 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

Microsoft Sentinel / Defender (KQL)

3,731 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

NetWitness

3,731 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

OpenSearch (Lucene)

3,731 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

OpenSearch (PPL)

3,731 rules · 1.4 MB · Detection Rule License (DRL) 1.1

Download .zip

Palo Alto Cortex XDR

1,524 rules · 675 KB · Detection Rule License (DRL) 1.1

Download .zip

Panther

3,742 rules · 1.7 MB · Detection Rule License (DRL) 1.1

Download .zip

Quickwit

3,512 rules · 1.2 MB · Detection Rule License (DRL) 1.1

Download .zip

Rapid7 InsightIDR

1,436 rules · 507 KB · Detection Rule License (DRL) 1.1

Download .zip

SentinelOne (Deep Visibility)

1,640 rules · 632 KB · Detection Rule License (DRL) 1.1

Download .zip

SentinelOne (PowerQuery)

1,633 rules · 617 KB · Detection Rule License (DRL) 1.1

Download .zip

Splunk SPL

3,733 rules · 1.3 MB · Detection Rule License (DRL) 1.1

Download .zip

Splunk SPL2

3,734 rules · 1.4 MB · Detection Rule License (DRL) 1.1

Download .zip

Sumo Logic CSE

3,489 rules · 5.1 MB · Detection Rule License (DRL) 1.1

Download .zip

Sumo Logic CSE Rule

3,489 rules · 5.1 MB · Detection Rule License (DRL) 1.1

Download .zip

VMware Carbon Black

3,646 rules · 1.2 MB · Detection Rule License (DRL) 1.1

Download .zip

Each pack holds one file per rule in the target query language, plus a NOTICE with attribution. Map field names to your log schema and tune thresholds before you trust an alert.

◈

From the source

5 upstream

SigmaHQ Detection Rules

Raw SigmaHQ rules. Clone the repo, or use the per-backend converted packs above.

Detection Rule License (DRL) 1.1 · Sigma rules from SigmaHQ under DRL 1.1.

Get from source

Florian Roth signature-base YARA rules

Florian Roth signature-base YARA rules. Clone the repo for the full set.

Detection Rule License (DRL) 1.1 (most rules) · YARA rules from Neo23x0/signature-base under DRL 1.1.

Get from source

Falco Runtime Detection Rules

Falco runtime detection rules. Clone the repo.

Apache 2.0 · Falco runtime rules (Apache 2.0).

Get from source

Proofpoint Suricata ET-Open Ruleset

Proofpoint Emerging Threats Open Suricata ruleset. Download from the source.

BSD 2-Clause · Suricata rules from Proofpoint ET-Open (BSD-2 licensed).

Get from source

MITRE Cyber Analytics Repository

MITRE Cyber Analytics Repository. Browse or clone from the source.

Apache 2.0 · MITRE Cyber Analytics Repository, Apache License 2.0.

Get from source

We link these rather than re-host them: they are served free upstream and their licenses are cleanest at the source.