Threat Detection: Sigma Rules Engine

Overview#

Argus integrates a full Sigma detection rule management system, allowing analysts to import, manage, and deploy Sigma rules -- the vendor-neutral SIEM detection language used by the security community and recommended by MITRE ATT&CK contributors. Rules can be imported from YAML, bulk-imported from repositories, translated into backend-specific query languages via pySigma, and pushed directly to connected SIEM platforms. Every rule import and SIEM push generates an EDF-compliant audit record.

Key Features#

Sigma YAML Import#

Load individual Sigma rules from raw YAML text via the

importRuleYaml

mutation. The

parse_sigma_rule_yaml

adapter validates and extracts rule metadata including title, description, falsepositives, logsource, detection conditions, and level (informational through critical). Invalid YAML is rejected with detailed parse errors logged at the service layer rather than surfaced to callers, preventing error disclosure.

Bulk Rule Import#

Import entire Sigma rule repositories in a single operation, batch-processing hundreds of rules while collecting success/failure counts per rule. Useful for onboarding an organisation from an existing detection-as-code repository or bootstrapping rules from public repositories like the Sigma HQ community rules.

pySigma Translation to SIEM Backends#

Translate stored Sigma rules to backend-specific query languages using pySigma via the

translateSigmaRule

mutation. Supported backends include Splunk SPL, Elastic ESQL/Lucene, Microsoft Sentinel KQL, Chronicle YARA-L, and QRadar AQL. Translation happens on demand, meaning the canonical Sigma YAML is always the source of truth and queries can be regenerated for new backends without maintaining separate rule copies.

SIEM Push Integration#

Push translated rules directly to a configured SIEM endpoint via the

pushRuleToSiem

mutation. Argus handles the translation and SIEM REST API call in a single operation, reducing the friction of detection engineering workflows. Each push is logged as an interop export audit event with the destination SIEM and query backend recorded.

Rule Inventory and Statistics#

Query the rule inventory by organisation with filtering by severity level, log source category, or status. The

sigmaRuleStats

query returns counts by level (critical, high, medium, low, informational) and by log source category, giving security operations teams visibility into their detection coverage distribution.

Use Cases#

Detection-as-Code Workflow: Import a Git repository's Sigma rule set on deployment and translate to the production SIEM backend, treating detection rules as managed infrastructure versioned alongside playbooks.
Multi-SIEM Organisations: Maintain a single Sigma rule library in Argus and push translated variants to Splunk, Elastic, and Sentinel simultaneously without managing backend-specific copies.
ATT&CK Coverage Mapping: Tag imported rules with MITRE ATT&CK technique IDs and report on technique coverage gaps across the detection rule library.
Partner Rule Sharing: Export Sigma rules as vendor-neutral YAML to share with allied organisations without exposing proprietary SIEM query syntax.

Integration#

Available via GraphQL:

sigmaRules

sigmaRuleStats

(queries);

importRuleYaml

bulkImportRules

translateSigmaRule

pushRuleToSiem

(mutations). All operations require authentication and organisation scoping.

Compatible with Sigma specification v2+, pySigma backends. Works alongside the SIEM Connector domain for persistent SIEM connection management, and integrates with the MISP and STIX domains to derive detection rules from observed indicators.

Last Reviewed: 2026-03-18

Metadatos del modulo

Documentacion renderizada