What is Sigma in the context of security monitoring?

Sigma is a community-driven, open specification for describing detection rules that monitor log events. It provides a generic, platform-agnostic format (often YAML) that captures what to look for in logs—such as event types, fields, and the logical conditions indicating a security finding. Because Sigma rules aren’t tied to a specific SIEM, you can write a rule once and convert it into the query language of different systems (Splunk, Elasticsearch, QRadar, ArcSight, etc.). This makes sharing detections across environments straightforward and helps keep detection logic consistent. A Sigma rule typically specifies where the logs come from, what to detect (the data fields and values of interest), and the conditions that combine them to flag an alert. It’s about describing suspicious log-based behaviors in a portable way, not about encryption standards, firewall policy languages, or malware hash databases.