Do I need to know the Sigma YAML format to use this?

No. You describe the behaviour in plain language and the skill produces the correct YAML structure, including field modifiers, condition logic and ATT&CK tags. Knowing the format helps you review the result, but it is not required to generate a usable rule.

Will the rule work in my SIEM?

Sigma is vendor-agnostic by design. The skill writes to the Sigma spec, then you convert the rule to your platform's query language using sigmac or pySigma. That covers Splunk, Elastic, Microsoft Sentinel and many other backends from one source rule.

Is the Sigma writing skill free?

Yes. It is part of the open-source, MIT-licensed CTI Skills pack. You can run it, read its logic, and adapt it for your own detection workflow at no cost.

CTI Skill · Detection engineering

Sigma Rule Writing.

/sigma-writing

If you have ever wondered how to write Sigma rules without memorising every field modifier and log source, this skill does it for you. Describe a finding or a behaviour and it drafts a complete, vendor-agnostic Sigma rule in the YAML the spec expects: a unique id, log source, detection logic, ATT&CK tags, documented false positives and a sensible severity level.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

The skill turns a plain-language finding or an investigation result into a structured Sigma rule. It picks the right log source category, builds the selection and filter blocks with the correct field modifiers, generates a unique id, maps the behaviour to MITRE ATT&CK tactics and techniques, and fills in references, false positives and a level. The output is valid YAML you can convert to Splunk, Elastic or Sentinel queries with sigmac or pySigma.

When to use it.

Reach for it when an investigation surfaces a behaviour worth detecting: a suspicious parent-child process chain, an encoded PowerShell command, a beacon to known C2 infrastructure. It is built for detection engineers and CTI analysts who want repeatable, portable rules instead of one-off SIEM queries locked to a single platform. It pairs naturally with the output of a hash or malware investigation.

What you get back.

A single Sigma rule file following the spec: title, id, status, description explaining what is detected and why, references, ATT&CK tags in the correct lowercase dotted format, a precise log source, detection selections with modifiers like contains, endswith and cidr, a condition expression, documented false-positive scenarios, and an accurate severity. It runs through the project quality checklist before you see it.

How it fits your workflow.

It is one of several open-source CTI Skills that run inside an AI coding agent such as Claude Code. You stay in your terminal, point it at a finding, and get a reviewable rule you can commit to your detection repository. Because the rules are vendor-neutral Sigma, the same draft feeds whatever SIEM your team runs, and you can chain it after an indicator pivot or enrichment step.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.