{"id":104664,"date":"2025-02-26T16:55:34","date_gmt":"2025-02-26T08:55:34","guid":{"rendered":"https:\/\/version-2.com\/?p=104664"},"modified":"2025-02-19T16:58:36","modified_gmt":"2025-02-19T08:58:36","slug":"the-ultimate-guide-to-sigma-rules","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2025\/02\/the-ultimate-guide-to-sigma-rules\/","title":{"rendered":"The Ultimate Guide to Sigma Rules"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"104664\" class=\"elementor elementor-104664\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-35fe5dd post-content elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"35fe5dd\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;cef08c3&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-409a2e9a\" data-id=\"409a2e9a\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-5a8be8f elementor-widget elementor-widget-text-editor\" data-id=\"5a8be8f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full\" src=\"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp\" width=\"1200\" height=\"628\" \/><\/p><div class=\"elementor-widget-container\"><p>In cybersecurity as in sports, teamwork makes the dream work. In a world where security analysts can feel constantly bombarded by threat actors, banding together to share information and strategies is increasingly important. Over the last few years, security operations center (SOC) analysts started sharing open source Sigma rules to create and share detections that help them level the playing field.<\/p><p>By understanding what Sigma rules are and how to use them, you can leverage their capabilities, optimizing your centralized log management solution for security detection and response.<\/p><h2>What are Sigma Rules?<\/h2><p>Introduced in 2017 by detection engineer Florian Roth and open-source security tool developer Thomas Patzke, Sigma is a text-based, generic, open signature format that analysts can use to describe log events, making detections easier to write.\u00a0 Since Sigma uses YAML, it has a human-readable syntax that means people can easily read and understand the detection rules.<\/p><p>As a generic detection rule format, Sigma creates a common shared language for defenders, overcoming the challenges that they face trying to write rules in proprietary <a href=\"https:\/\/graylog.org\/post\/siem-simplified\/\">Security Information and Event Management (SIEM)<\/a> platforms. Security analysts can share rules using the Sigma format, then convert them into the SIEM-specific language.<\/p><p>Similar to how YARA rules use Indicators of Compromise (IoC) to help identify and classify malware files, Sigma rules match criteria to log events to help detect incidents. Sigma rules can contain any or all of the following fields:<\/p><ul><li>Title<\/li><li>Status, like experimental or tested<\/li><li>Description of what it detects<\/li><li>Author name<\/li><li>Date<\/li><li>ID<\/li><li>License, assuming the author shares the rule<\/li><li>Level<\/li><li>Data or log source<\/li><li>Set of conditions<\/li><li>Tag, including MITRE ATT&amp;CK mapping<\/li><\/ul><p>\u00a0<\/p><h2>Why use Sigma Rules?<\/h2><p>With Sigma rules, security analysts can collaborate more effectively and efficiently.<\/p><h3>Standardization<\/h3><p>Sigma standardizes detection rule formats across <a href=\"https:\/\/graylog.org\/post\/selecting-siem-tools-questions-to-consider\/\">all SIEM<\/a> and log management platforms. Since each rule contains the same fields in the same order, security analysts can use a converter that translates the open-source detection into the format that their security system uses.<\/p><h3>Collaboration<\/h3><p>For defenders, collaboration is a fundamental benefit. Until Sigma rules, security analysts could only share detections with other people who use the same SIEM or log management system. With open-source Sigma rules, defenders can share tested and untested rules within GitHub to build stronger detections.<\/p><p>Further, by collaborating, defenders can share knowledge. With people across all experience levels sharing detections, security analysts can bridge the cybersecurity skills gap, enhancing everyone\u2019s security.<\/p><h3>Flexibility<\/h3><p>From a business perspective, Sigma rules give companies a way to evolve their cybersecurity technology stack in a way that makes sense for them. The ability to convert the rules to a vendor\u2019s format means that security teams can shift from one technology to another more easily, avoiding costly vendor lock-in or enabling them to mature their operations as necessary.<\/p><h2>Sigma Rule Use Cases<\/h2><p>With Sigma, you can uplevel your security in proactive and reactive ways.<\/p><p>Suspicious Activity Alerts<\/p><p>To improve your reactive security, you can build Sigma rules to detect suspicious activity. Using the activity that your log data captures, you can build rules that detect almost anything, including:<\/p><ul><li>Unauthorized actions<\/li><li>Web\/resource access<\/li><li>File modification<\/li><li>Process creation<\/li><\/ul><p>\u00a0<\/p><p>As you get more comfortable building detection rules, you can correlate more log data for meaningful, high-fidelity alerts.<\/p><h3>Threat Hunting<\/h3><p>Once you have a set of robust alerts, you can start using Sigma rules to mature your proactive security monitoring, too. With a centralized log management solution aggregating old log data, you can build Sigma detections based on threat intelligence and <a href=\"https:\/\/graylog.org\/post\/next-level-threat-hunting-shift-your-siem-from-reactive-to-proactive\/\">proactively search for activity indicating attackers hiding in your systems.<\/a><\/p><h2>The Anatomy of a Sigma Rule<\/h2><p>Writing Sigma rules doesn\u2019t need to be hard, but the more correlations you build into the rule, the more difficult writing it becomes.<\/p><p>An example of a <a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/master\/rules\/cloud\/azure\/azure_account_lockout.yml\">short Sigma rule<\/a> is the one that identifies potential <a href=\"https:\/\/graylog.org\/features\/anomaly-detection-ml-ueba\/\">brute force or credential theft attacks<\/a>.<\/p><figure id=\"attachment_13939\" class=\"wp-caption aligncenter\" style=\"width: 624px;\" aria-describedby=\"caption-attachment-13939\"><picture class=\"wp-image-13939 size-full\"> <source srcset=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture1.png.webp\" type=\"image\/webp\" \/><\/picture><br \/><picture class=\"wp-image-13939 size-full\"><img decoding=\"async\" src=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture1.png\" alt=\"a sigma rule\" width=\"624\" height=\"464\" \/><\/picture><br \/><figcaption id=\"caption-attachment-13939\" class=\"wp-caption-text\">Azure Account Lockout Sigma Rule<\/figcaption><\/figure><h3>Identify Use Case<\/h3><p>The first step to <a href=\"https:\/\/socprime.com\/blog\/sigma-rules-the-beginners-guide\/\">building a Sigma<\/a> rule is deciding what activity you need to find.<\/p><p>In the example detection, the authors define the use case in the tags as an attack at the credential and access level.<\/p><p>They also map this activity to the <a href=\"https:\/\/attack.mitre.org\/techniques\/T1110\/\">MITRE ATT&amp;CK Technique T1110<\/a> which covers:<\/p><ul><li>Password guessing (T1110.001)<\/li><li>Password cracking (T1110.002)<\/li><li>Password spraying (T1110.003)<\/li><li>Credential stuffing (T1110.004)<\/li><\/ul><h3>Determine Log Source\/Data Source<\/h3><p>Since your Sigma rule relies on log data, you need to identify what sources apply. When writing the rule, you may want to include both the product and the service.<\/p><p>Breaking down the example detection, you can see that the logsource in this case is the Azure sign-in logs:<\/p><p><picture class=\"alignnone wp-image-13940 size-large\"> <source srcset=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture2-1.png.webp?w=204\" type=\"image\/webp\" \/><\/picture><br \/><picture class=\"alignnone wp-image-13940 size-large\"><img decoding=\"async\" src=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture2-1.png?w=204\" alt=\"\" width=\"204\" height=\"68\" \/><\/picture><\/p><h3>Define the Detection<\/h3><p>As you continue to build your rule, you also dig deeper into the logsource data. When you define the detection, you look at the log fields that alert you to specific activity.<\/p><p>In this example, the sign-in logs for \u201cAzure AD authentication error 50053\u201d:<br \/><picture class=\"alignnone size-medium wp-image-13941\"> <source srcset=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture3-1.png.webp?w=193\" type=\"image\/webp\" \/><\/picture><br \/><picture class=\"alignnone size-medium wp-image-13941\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture3-1.png?w=193\" alt=\"\" width=\"193\" height=\"64\" \/><\/picture><\/p><h3>Set the Condition<\/h3><p>When you set the condition, you define what the rule \u201clooks for\u201d in the defined log.<\/p><p>In this case, since the log needs to have the required error, you set it as follows:<br \/><picture class=\"alignnone wp-image-13942 size-large\"> <source srcset=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture4-1.png.webp?w=193\" type=\"image\/webp\" \/><\/picture><br \/><picture class=\"alignnone wp-image-13942 size-large\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture4-1.png?w=193\" alt=\"\" width=\"193\" height=\"26\" \/><\/picture><\/p><h3>Additional Fields and Complexity<\/h3><p>Although valuable, this example is a fairly simple rule. As you try to reduce noise across your monitoring environment, you may incorporate additional information, like:<\/p><ul><li>More than one log source<\/li><li>More than one detection<\/li><li>Filters<\/li><li>Multiple conditions<\/li><li>Indicators of false positives<\/li><\/ul><p>\u00a0<\/p><p>A good example of a more complex Sigma rule is the <a href=\"https:\/\/github.com\/SigmaHQ\/sigma\/blob\/master\/rules\/cloud\/azure\/azure_aad_secops_signin_failure_bad_password_threshold.yml\">Sign-In Failure for Bad Password Threshold<\/a>:<\/p><figure id=\"attachment_13943\" class=\"wp-caption aligncenter\" style=\"width: 624px;\" aria-describedby=\"caption-attachment-13943\"><picture class=\"wp-image-13943 size-full\"> <source srcset=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture5-1.png.webp\" type=\"image\/webp\" \/><\/picture><br \/><picture class=\"wp-image-13943 size-full\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/graylog.org\/wp-content\/uploads\/2023\/03\/Picture5-1.png\" alt=\"A Sigma Rule\" width=\"624\" height=\"400\" \/><\/picture><br \/><figcaption id=\"caption-attachment-13943\" class=\"wp-caption-text\">Azure Sign-In Failure Bad Password Threshold<\/figcaption><\/figure><h2>Graylog Security: Sigma Rule Event Processor for Advanced Detection Capabilities<\/h2><p>With <a href=\"https:\/\/graylog.org\/products\/security\/\">Graylog Security<\/a>, you get the security functionality of SIEM and the intuitive user interface that makes managing security faster. With our Sigma Rule Event Processor, you can import rules you want to use directly from GitHub, and we automatically associate it with an <a href=\"https:\/\/go2docs.graylog.org\/5-0\/interacting_with_your_log_data\/alerts_and_events.html\">event definition<\/a> or customize the definition, giving you a way to rapidly mature your detection capabilities.<\/p><p><picture class=\"aligncenter wp-image-26006 size-full\"> <source srcset=\"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules.png.webp 1458w, https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules-300x181.png.webp 300w, https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules-1024x617.png.webp 1024w, https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules-768x462.png.webp 768w\" type=\"image\/webp\" sizes=\"(max-width: 1458px) 100vw, 1458px\" \/><\/picture><br \/><picture class=\"aligncenter wp-image-26006 size-full\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules.png\" sizes=\"(max-width: 1458px) 100vw, 1458px\" srcset=\"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules.png 1458w, https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules-300x181.png 300w, https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules-1024x617.png 1024w, https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Sigma-Rules-768x462.png 768w\" alt=\"\" width=\"1458\" height=\"878\" \/><\/picture><\/p><p>By combining Sigma rules with Graylog\u2019s lightning-fast speed, you can create the high-fidelity alerts you need and investigate them rapidly, improving key metrics like Mean Time To Detect (MTTD) and Mean Time To Resolve (MTTR).<\/p><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2004c86 elementor-widget elementor-widget-shortcode\" data-id=\"2004c86\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n\t\t<div data-elementor-type=\"page\" data-elementor-id=\"93504\" class=\"elementor elementor-93504\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6461a578 elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"6461a578\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2f063c39\" data-id=\"2f063c39\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-14e1df2a elementor-widget elementor-widget-text-editor\" data-id=\"14e1df2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>About Graylog\u00a0\u00a0<\/strong><br \/>At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We\u2019re committed to turning this vision into reality by providing Threat Detection &amp; Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective\u2014whether hosted by us, on-premises, or in your cloud\u2014but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t\t\t<div data-elementor-type=\"page\" data-elementor-id=\"18103\" class=\"elementor elementor-18103\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-748947f elementor-section-full_width elementor-section-height-default elementor-section-height-default\" data-id=\"748947f\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[{&quot;jet_parallax_layout_image&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;_id&quot;:&quot;c4f773e&quot;,&quot;jet_parallax_layout_image_tablet&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_image_mobile&quot;:{&quot;url&quot;:&quot;&quot;,&quot;id&quot;:&quot;&quot;,&quot;size&quot;:&quot;&quot;},&quot;jet_parallax_layout_speed&quot;:{&quot;unit&quot;:&quot;%&quot;,&quot;size&quot;:50,&quot;sizes&quot;:[]},&quot;jet_parallax_layout_type&quot;:&quot;scroll&quot;,&quot;jet_parallax_layout_direction&quot;:&quot;1&quot;,&quot;jet_parallax_layout_fx_direction&quot;:null,&quot;jet_parallax_layout_z_index&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x&quot;:50,&quot;jet_parallax_layout_bg_x_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_x_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y&quot;:50,&quot;jet_parallax_layout_bg_y_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_y_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size&quot;:&quot;auto&quot;,&quot;jet_parallax_layout_bg_size_tablet&quot;:&quot;&quot;,&quot;jet_parallax_layout_bg_size_mobile&quot;:&quot;&quot;,&quot;jet_parallax_layout_animation_prop&quot;:&quot;transform&quot;,&quot;jet_parallax_layout_on&quot;:[&quot;desktop&quot;,&quot;tablet&quot;]}]}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7995c19\" data-id=\"7995c19\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-a437045 elementor-widget elementor-widget-image-box\" data-id=\"a437045\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image-box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-image-box-wrapper\"><div class=\"elementor-image-box-content\"><h3 class=\"elementor-image-box-title\">About Version 2 Digital<\/h3><p class=\"elementor-image-box-description\">Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.\n<br><br>\nThrough an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.<\/p><\/div><\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>In cybersecurity as in sports, teamwork makes the dream [&hellip;]<\/p>\n","protected":false},"author":149011790,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1303,1305,61],"tags":[1077,1304],"class_list":["post-104664","post","type-post","status-publish","format-standard","hentry","category-graylog","category-1305","category-press-release","tag-1077","tag-graylog"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>The Ultimate Guide to Sigma Rules - Version 2<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/\" \/>\n<meta property=\"og:locale\" content=\"zh_HK\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Ultimate Guide to Sigma Rules - Version 2\" \/>\n<meta property=\"og:description\" content=\"In cybersecurity as in sports, teamwork makes the dream [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/\" \/>\n<meta property=\"og:site_name\" content=\"Version 2\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-26T08:55:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp\" \/>\n<meta name=\"author\" content=\"tracylamv2\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"tracylamv2\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9810\u8a08\u95b1\u8b80\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 \u5206\u9418\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/02\\\/the-ultimate-guide-to-sigma-rules\\\/\"},\"author\":{\"name\":\"tracylamv2\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\"},\"headline\":\"The Ultimate Guide to Sigma Rules\",\"datePublished\":\"2025-02-26T08:55:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/02\\\/the-ultimate-guide-to-sigma-rules\\\/\"},\"wordCount\":1037,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/graylog.org\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp\",\"keywords\":[\"2025\",\"Graylog\"],\"articleSection\":[\"Graylog\",\"2025\",\"Press Release\"],\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/version-2.com\\\/2025\\\/02\\\/the-ultimate-guide-to-sigma-rules\\\/\",\"url\":\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/\",\"name\":\"The Ultimate Guide to Sigma Rules - Version 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/graylog.org\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp\",\"datePublished\":\"2025-02-26T08:55:34+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/#breadcrumb\"},\"inLanguage\":\"zh-HK\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/#primaryimage\",\"url\":\"https:\\\/\\\/graylog.org\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp\",\"contentUrl\":\"https:\\\/\\\/graylog.org\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/graylog.org\\\/post\\\/the-ultimate-guide-to-sigma-rules\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Ultimate Guide to Sigma Rules\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#website\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"name\":\"Version 2\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/version-2.com\\\/zh\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"zh-HK\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#organization\",\"name\":\"Version 2\",\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/version-2.com\\\/wp-content\\\/uploads\\\/2020\\\/08\\\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1\",\"width\":1795,\"height\":335,\"caption\":\"Version 2\"},\"image\":{\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/version-2.com\\\/zh\\\/#\\\/schema\\\/person\\\/011bc7c3731c930bcfeecd52fefb6365\",\"name\":\"tracylamv2\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-HK\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g\",\"caption\":\"tracylamv2\"},\"url\":\"https:\\\/\\\/version-2.com\\\/zh\\\/author\\\/tracylamv2\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Ultimate Guide to Sigma Rules - Version 2","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/","og_locale":"zh_HK","og_type":"article","og_title":"The Ultimate Guide to Sigma Rules - Version 2","og_description":"In cybersecurity as in sports, teamwork makes the dream [&hellip;]","og_url":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/","og_site_name":"Version 2","article_published_time":"2025-02-26T08:55:34+00:00","og_image":[{"url":"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp","type":"","width":"","height":""}],"author":"tracylamv2","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"tracylamv2","\u9810\u8a08\u95b1\u8b80\u6642\u9593":"13 \u5206\u9418"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/#article","isPartOf":{"@id":"https:\/\/version-2.com\/2025\/02\/the-ultimate-guide-to-sigma-rules\/"},"author":{"name":"tracylamv2","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365"},"headline":"The Ultimate Guide to Sigma Rules","datePublished":"2025-02-26T08:55:34+00:00","mainEntityOfPage":{"@id":"https:\/\/version-2.com\/2025\/02\/the-ultimate-guide-to-sigma-rules\/"},"wordCount":1037,"commentCount":0,"publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"image":{"@id":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/#primaryimage"},"thumbnailUrl":"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp","keywords":["2025","Graylog"],"articleSection":["Graylog","2025","Press Release"],"inLanguage":"zh-HK","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/version-2.com\/2025\/02\/the-ultimate-guide-to-sigma-rules\/","url":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/","name":"The Ultimate Guide to Sigma Rules - Version 2","isPartOf":{"@id":"https:\/\/version-2.com\/zh\/#website"},"primaryImageOfPage":{"@id":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/#primaryimage"},"image":{"@id":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/#primaryimage"},"thumbnailUrl":"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp","datePublished":"2025-02-26T08:55:34+00:00","breadcrumb":{"@id":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/#breadcrumb"},"inLanguage":"zh-HK","potentialAction":[{"@type":"ReadAction","target":["https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/"]}]},{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/#primaryimage","url":"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp","contentUrl":"https:\/\/graylog.org\/wp-content\/uploads\/2024\/04\/Ultimate-Guide-to-Sigma-Rules-2.jpg.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/graylog.org\/post\/the-ultimate-guide-to-sigma-rules\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/version-2.com\/zh\/"},{"@type":"ListItem","position":2,"name":"The Ultimate Guide to Sigma Rules"}]},{"@type":"WebSite","@id":"https:\/\/version-2.com\/zh\/#website","url":"https:\/\/version-2.com\/zh\/","name":"Version 2","description":"","publisher":{"@id":"https:\/\/version-2.com\/zh\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/version-2.com\/zh\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"zh-HK"},{"@type":"Organization","@id":"https:\/\/version-2.com\/zh\/#organization","name":"Version 2","url":"https:\/\/version-2.com\/zh\/","logo":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","contentUrl":"https:\/\/i0.wp.com\/version-2.com\/wp-content\/uploads\/2020\/08\/v2-hk-hor-4.png?fit=1795%2C335&ssl=1","width":1795,"height":335,"caption":"Version 2"},"image":{"@id":"https:\/\/version-2.com\/zh\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/version-2.com\/zh\/#\/schema\/person\/011bc7c3731c930bcfeecd52fefb6365","name":"tracylamv2","image":{"@type":"ImageObject","inLanguage":"zh-HK","@id":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/9d01d79cbfd8b2e878f5d701a362cc9fca466d33fec977b59706c23c1a2db15c?s=96&d=identicon&r=g","caption":"tracylamv2"},"url":"https:\/\/version-2.com\/zh\/author\/tracylamv2\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbQRKm-re8","post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/104664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/users\/149011790"}],"replies":[{"embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/comments?post=104664"}],"version-history":[{"count":4,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/104664\/revisions"}],"predecessor-version":[{"id":104668,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/posts\/104664\/revisions\/104668"}],"wp:attachment":[{"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/media?parent=104664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/categories?post=104664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/version-2.com\/zh\/wp-json\/wp\/v2\/tags?post=104664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}