Last updated: April 29, 2026
Detection engineering is the discipline of turning “attackers do X” into queries that reliably fire when X happens and stay quiet when it doesn’t. Sigma is the de-facto cross-SIEM rule format for expressing those detections — write once in YAML, convert to Splunk SPL, KQL for Sentinel, Lucene for Elastic, or any other backend. This module walks through the Sigma rule anatomy, the two mistakes most beginners make, and the workflow for taking a rule from idea to production without burying the SOC in false positives.
What Sigma is and is not
Sigma is a YAML specification maintained by SigmaHQ (GitHub: SigmaHQ/sigma). A Sigma rule describes a log-event match pattern in a vendor-neutral way. A converter tool (sigmac, or the newer pySigma) translates it to the query language of your SIEM. The community repo ships 3000+ rules covering common Windows, Linux, cloud, and network detections.
What Sigma is not: a SIEM, a detection platform, or an execution engine. It is a rule specification. You still need a SIEM to run the converted queries, and you still need to tune them against your environment.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.