Detection Engineering

Writing Sigma Rules That Actually Fire (Not Just Compile)

A detection engineer's checklist for Sigma rules that survive contact with production — fidelity over coverage, tested logsources, tuned false positives, and CI.

Colson

By Colson · Security Researcher, Founder

3 min read

Detection-as-code pipeline visualization showing Sigma rules flowing into a SIEM
Threat reference
T1059.001 T1218.011

A Sigma rule that compiles is not a detection. It is a hypothesis. Plenty of rule libraries are full of YAML that converts cleanly to SPL or KQL and never fires once — because the logsource is not collected, the field names do not match the pipeline, or the logic is so broad it gets tuned to death on day one. This is a detection engineer’s checklist for writing Sigma that survives contact with production.

1. Pin the logsource to data you actually collect

The most common failure is a perfectly valid rule sitting on top of telemetry that nobody ships to the SIEM. Before writing detection logic, confirm the logsource is collected, parsed, and field-mapped in your environment.

2. Detect behavior, not a single string

Brittle rules key on one literal — an exact path, a specific tool name — and break the moment an attacker renames a binary. Durable rules describe the behavior: the parent/child process relationship, the command-line shape, the combination of fields that is unusual together.

Sigma Encoded PowerShell via -EncodedCommand source 
title: Encoded PowerShell Command Execution
id: 9f3c1a7e-darkpwn-illustrative
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith: '\powershell.exe'
  selection_flags:
    CommandLine|contains:
      - ' -enc '
      - ' -EncodedCommand '
      - ' -e '
  condition: selection_img and selection_flags
falsepositives:
  - Some legitimate management and deployment scripts
level: medium
tags:
  - attack.execution
  - attack.t1059.001

This keys on the technique (T1059.001, PowerShell) rather than a hash, so it survives renamed scripts — while still naming realistic false positives.

3. Write the false positives down before you ship

Every real detection has false positives. The rules that survive are the ones whose authors enumerated them up front, in the falsepositives field, and provided a tuning path. A rule with an empty falsepositives block has usually not met production yet.

4. Test every rule against attack telemetry

A detection you have never seen fire is not validated. Generate the behavior safely in a lab — Atomic Red Team and purple-team exercises are built for exactly this — and confirm the rule fires on the true positive and stays quiet on a normal baseline.

5. Map to ATT&CK and track coverage honestly

Tag rules with ATT&CK technique IDs and render the result on a coverage map — but count only validated rules. A technique covered by a rule that has never fired is not covered. Honest coverage beats an impressive-looking matrix.

Where to build the skill (authorized labs)

Detection engineering is a hands-on craft, and the safest way to practice is in authorized labs that let you generate real attack telemetry on demand:

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

Two authorized training platforms commonly used to practice detection against real attack telemetry.
TryHackMeHack The Box
Best for Guided blue-team pathsOpen-ended adversary emulation
On-ramp Gentle, browser-basedSteeper, more realistic
Detection focus SOC / SIEM / Sigma roomsPro Labs + endpoint telemetry
Get started TryHackMe Hack The Box

The takeaway

The gap between a rule that compiles and a rule that fires is the entire job. Pin the logsource, detect behavior over strings, write down the false positives, test against real attack telemetry, and gate it all behind CI. Coverage you have not validated is a story you are telling yourself — fire the rule before the adversary does.

Put it into practice on real techniques: the behavioral Kerberoasting detection and the SQL injection detection guide both live or die by the rules-that-fire discipline above. More in the Detection Engineering pillar.

#sigma#detection-engineering#detection-as-code#siem#blue-team#threat-hunting

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • TryHackMeGuided SOC and Sigma rooms to practice detection against real telemetrySecurity Training
    Start training
  • Hack The BoxPro Labs and endpoint telemetry for open-ended detection practiceSecurity Training
    Explore labs

Frequently asked questions

What is Sigma in detection engineering?

Sigma is a generic, YAML-based signature format for log events. You write a detection once in Sigma, then convert it to your SIEM's query language (Splunk SPL, Microsoft KQL, Elastic, etc.) with a converter such as sigma-cli/pySigma. It is the de facto "write once, deploy anywhere" standard for detection-as-code.

Why do so many Sigma rules never fire?

The two most common reasons are a logsource that is not actually being collected (the rule is valid but there is no data behind it) and field names that do not match the deployed log pipeline. A rule that compiles is not a rule that fires — you have to test it against real telemetry.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.