Sigma Rules

The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Sigma is an open, human-readable rule format used to detect suspicious or malicious behavior through log analysis. Written in YAML and designed to be platform-independent, Sigma rules describe common attack patterns, such as failed login attempts or abnormal PowerShell activity, that can be applied across different security tools and logging systems.

Graylog integrates Sigma rules directly into its event processing engine, allowing incoming logs to be automatically matched against a growing library of threat detection rules. This capability enables real-time alerting and faster incident response, turning threat intelligence into actionable detections.

In this section of the documentation, we review what Sigma rules and Sigma Correlation are; how to add, import, and configure Sigma rules and Correlation; and how to manage or modify existing rules.

Sigma Rules and Graylog

Graylog gives you flexibility in how you work with Sigma rules. Designed to be platform-independent, Graylog allows you to write or add Sigma rules and apply them to your environment. This capability makes these rules highly reusable and easy to share across organizations and teams.

With Graylog, you can:

  • Import rules directly from the SigmaHQ GitHub repository or from any public Git repository.

  • Upload rules from your local file system, individually or in bulk.

  • Create or modify rules using the built-in YAML editor.

  • Clone and customize existing rules to tailor detections to your environment.

  • Schedule executions and associate rules with specific streams for targeted analysis.

  • Correlate multiple rules to detect complex or multi-stage attack scenarios.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must have a Graylog Security license.

  • Graylog 4.3 or higher is required for Sigma rules.

  • Graylog Illuminate is recommended for use with Sigma rules and Sigma Correlation.

Highlights

The following highlights provide a summary of the key takeaways from this article:

  • Graylog supports Sigma rules, a universal YAML-based format, and Sigma Correlation to detect threats through log analysis.

  • Import rules from SigmaHQ or any Git repo, upload rules locally, or create or edit rules in the built-in YAML editor.

  • Each rule auto-generates an event definition, enabling real-time alerts and response workflows.

  • Sigma Correlation expands detection capabilities by identifying patterns that span multiple log events over time.

Sigma Rules and Correlation

Graylog supports two types of Sigma-based detection logic: Sigma rules and Sigma Correlation. Together, this provides both precision and depth for detecting suspicious activity in your log data.

Sigma Rules

A Sigma rule is the basic unit of detection in the Sigma framework. It is designed to identify logs that meet a specific pattern or condition, making them ideal for identifying individual events that might indicate suspicious activity in your environment—for example, a failed login attempt, execution of a known malicious command, or access to a restricted file.

Sigma Correlation

Correlation extends Sigma’s capabilities by analyzing patterns across multiple log events over time. Correlations are ideal for identifying complex, multi-stage attacks that might not be obvious from a single event. They help detect behaviors that require context and accumulation—such as brute-force attempts, privilege escalation, or lateral movement—by linking related events into a cohesive detection.

Graylog supports three Correlation types from the Sigma 2.0 specification:

Correlation Type Description
event_count Repeated events from same source (e.g. 10 failed login attempts from the same IP address).
value_count Variety of values tied to a single field. Triggers when a specific field (e.g. username or source IP) has multiple distinct values in a defined time frame (e.g. The same user account logs in from 5 different countries within 10 minutes).
temporal_ordered Detects a specific sequence of event types that occur in order within a given time frame (e.g. A user disables antivirus then downloads an executable file).

Create or Add a Sigma Rule

Rules can be added manually via the YAML editor, uploaded files, or imported from a Git repository. Sigma rules and Sigma Correlation automatically generate a corresponding event definition, allowing you to leverage the full range of alerting and automation features in Graylog. See Create or Add a Sigma Rule for more information.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: