Vendor-neutral detection rules in Sigma format, organized by MITRE ATT&CK tactic.
The goal of this repo is to keep one canonical source for detection logic that can be converted to whatever SIEM I'm working with — Sentinel (KQL), Splunk (SPL), Elastic (EQL/Lucene), and so on. The companion repo siem-content holds the converted output where hand-tuning is needed.
rules/
credential_access/
defense_evasion/
discovery/
execution/
exfiltration/
impact/
initial_access/
lateral_movement/
persistence/
privilege_escalation/
tests/
test_rules.py # pytest suite — schema, ATT&CK tag presence, backend conversion smoke test
.github/workflows/
ci.yml # runs sigma check + pytest on every PR
Each rule file has a sibling .md with: what the detection covers, the log source it expects, sample matching events, false-positive notes, and ideas for tuning.
You need Python 3.10+ and uv (or pip).
uv sync
uv run pytest -q
uv run sigma check rules/The CI job runs the same commands on every push.
# Sentinel / Defender (KQL)
uv run sigma convert -t kusto rules/credential_access/lsass_memory_access_unusual_process.yml
# Splunk
uv run sigma convert -t splunk rules/execution/powershell_encoded_command.yml
# Elastic (Lucene)
uv run sigma convert -t lucene rules/persistence/registry_run_key_modification.ymlTactics currently represented (rule count in parentheses):
| Tactic | Rules |
|---|---|
| Initial Access | 1 |
| Execution | 1 |
| Persistence | 2 |
| Privilege Escalation | 1 |
| Defense Evasion | 1 |
| Credential Access | 2 |
| Discovery | 1 |
| Lateral Movement | 1 |
| Exfiltration | 1 |
| Impact | 1 |
Run python tests/coverage_report.py to regenerate the ATT&CK Navigator JSON.
When adding a rule:
- Drop the
.ymlinto the appropriate tactic folder. - Add a sibling
.mdwith the same basename. - Make sure the
title,id(UUID),status,description,references,tags(includingattack.tXXXX),logsource, andlevelfields are all present. - Run
uv run sigma check rules/before opening the PR — CI will reject malformed rules.
MIT. See LICENSE.