building-detection-rules-with-sigmalisted

# Building Detection Rules with Sigma ## When to Use Use this skill when: - SOC engineers need to create detection rules portable across multiple SIEM platforms - Threat intelligence reports describe TTPs requiring new detection coverage - Existing vendor-specific rules need standardization into a shareable format - The team adopts Sigma as a detection-as-code standard in CI/CD pipelines **Do not use** for real-time streaming detection (Sigma is for batch/scheduled searches) or when the target SIEM has native detection features that Sigma cannot express (e.g., Splunk RBA risk scoring). ## Prerequisites - Python 3.8+ with `pySigma` and appropriate backend (`pySigma-backend-splunk`, `pySigma-backend-elasticsearch`, `pySigma-backend-microsoft365defender`) - Sigma rule repository cloned: `git clone https://github.com/SigmaHQ/sigma.git` - MITRE ATT&CK framework knowledge for technique mapping - Understanding of target SIEM log source field mappings ## Workflow ### Step 1: Define Detection Logic from Threat Intelligence Start with a threat report or ATT&CK technique. Example: detecting Mimikatz credential dumping (T1003.001 — LSASS Memory): ```yaml title: Mimikatz Credential Dumping via LSASS Access id: 0d894093-71bc-43c3-8d63-bf520e73a7c5 status: stable level: high description: Detects process accessing lsass.exe memory, indicative of credential dumping tools like Mimikatz references: - https://attack.mitre.org/techniques/T1003/001/ - https://github.com/gentilkiwi