SIEM
Sigma (generic) detection rules
3,132 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance10
Resource Development10
Initial Access10
Execution29
Persistence42
Privilege Escalation20
Stealth80
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control23
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
0 shown of 3,132No rules match your filters.Try clearing the search or selecting "all severities" above.