# Build Sigma Detection Rules

Security teams need portable detection logic that works across SIEM platforms. This skill helps create Sigma rules, map them to ATT&CK, and prepare them for hunting or compliance workflows.

## Install

```bash
npx skillstore add agentsecops/detection-sigma
```

## Metadata

- - Status: approved
- - Slug: agentsecops-detection-sigma
- - Version: 0.1.0
- - Author: AgentSecOps
- - GitHub username: AgentSecOps
- - License: MIT
- - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/incident-response/detection-sigma
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: medium
- - Risk factors: network, external\_commands
- - Quality score: 75
- - Public page: https://skillstore.pages.dev/skills/agentsecops-detection-sigma
- - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-detection-sigma/manifest

## Capabilities

- Drafts Sigma rule logic for common attack techniques and log sources.
- Explains field modifiers such as contains, endswith, regular expressions, and encoding modifiers.
- Maps detections to MITRE ATT&CK tactics and techniques using bundled references.
- Provides templates for credential access, lateral movement, persistence, privilege escalation, and compliance monitoring.
- Guides conversion planning for SIEM backends such as Splunk, Elasticsearch, QRadar, and Microsoft Sentinel.
- Suggests validation, tuning, false positive handling, and documentation steps for detection-as-code workflows.

## Use Cases

- Create Portable Detections: Build Sigma rules that can be reviewed, versioned, and converted for multiple SIEM platforms.
- Plan Threat Hunts: Translate ATT&CK techniques into hunting logic with required log sources, fields, and false positive notes.
- Map Compliance Coverage: Connect audit logging requirements to Sigma-style monitoring rules and evidence collection workflows.

## Prompt Templates

### Draft a Basic Rule

```
Create a Sigma rule for detecting suspicious PowerShell execution. Include log source, detection logic, false positives, level, and ATT&CK tags.
```

### Tune an Existing Rule

```
Review this Sigma rule for noisy conditions. Suggest filters, field changes, and test cases while preserving the detection objective.
```

### Map a Technique

```
For ATT&CK technique T1021, propose Sigma detection ideas, required logs, important fields, and likely benign activity to exclude.
```

### Design Detection Coverage

```
Build a Sigma detection coverage plan for credential access across Windows endpoints. Include rule families, log sources, ATT&CK mappings, validation steps, and deployment cautions.
```

## Limitations

- The packaged file tree does not include the runnable scripts referenced by the documentation.
- Generated rules still require testing against local log schemas and historical data.
- Backend conversion quality depends on pySigma plugins and environment-specific field mappings.
- The skill does not deploy rules or authenticate to SIEM platforms by itself.

## Best Practices

- Test each rule against known-good and known-bad samples before production deployment.
- Keep rules in version control with owners, change history, ATT&CK tags, and compliance mappings.
- Replace placeholder credentials, URLs, and field names before using deployment examples.

## Anti Patterns

- Do not deploy generated rules without validating local log availability and field mappings.
- Do not include real secrets, customer data, or sensitive indicators in shared rule examples.
- Do not copy deployment snippets that disable TLS verification or use placeholder credentials.

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-28T05:30:32.037\+00:00
- - Summary: Static analysis reported many critical and high indicators, but most are false positives caused by Sigma detection examples, ATT&CK terminology, markdown command snippets, and reference URLs. One real documentation risk remains: a Splunk deployment example uses placeholder credentials and disables TLS verification. No confirmed malicious intent or prompt injection attempt was found, so publication is acceptable with a security warning.

## Stats

- - Views: 579
- - Downloads: 6
- - Favorites: 0
- - Popularity score: 0
