Sigma rules Run community Sigma detections against digger's process and network telemetry.

What we support

Sigma is the de-facto open detection-rule format. digger ships a pragmatic, zero-dependency loader that supports a useful subset of the spec — enough to run the bulk of real-world process-creation and network-connection rules.

Where rules come from

The SigmaLoader walks two directories by default:

digger/rules/sigma/ — bundled rules that ship with digger (small curated set).
$DIGGER_INTEL_DIR/sigma-corpus/ — the live SigmaHQ corpus populated by the sigmahq_corpus feed (24h refresh). After a single digger intel update --only sigmahq_corpus, every SigmaHQ rule tagged command_and_control / credential_access / lateral_movement / privilege_escalation / persistence / defense_evasion / process_creation / network_connection lands in the cache and is picked up here automatically with zero detector-side changes.

Pass --dirs path1,path2 to digger sigma to add others.

Sigma feature	Supported
`logsource.category: process_creation`	Yes — matches against the `processes` collector
`logsource.category: network_connection`	Yes — matches against the `network` collector
`detection.<selection>` with field map	Yes
Modifiers: `contains`, `startswith`, `endswith`, `re`	Yes
Conditions: `selection`, `sel1 and sel2`, `sel1 or sel2`	Yes
Top-level keyword lists	Yes (matches anywhere in record values)
Complex conditions with parentheses, count aggregation, near-by correlation	No — rule skipped silently
Other log sources (registry_event, dns, file_event, …)	No

Rules that use unsupported features are silently skipped, not failed.

Field mappings

Sigma uses Sysmon-style field names. digger maps them to the equivalent fields on its process/network artifacts:

Sigma field	digger artifact field
`Image` / `exe`	`processes.data.exe`
`CommandLine` / `cmdline`	`processes.data.cmdline` (joined with space)
`ParentImage`	Resolved via `processes.data.ppid` → parent's exe
`ParentCommandLine`	Resolved via ppid → parent's cmdline
`User` / `Username`	`processes.data.username`
`DestinationIp` / `DestinationHostname`	`network.data.raddr[0]`
`DestinationPort`	`network.data.raddr[1]`

Running

# Run with default rule dirs (digger/rules/sigma/)
digger sigma --case-dir ./case-1

# Run with your own rule directories
digger sigma --case-dir ./case-1 --dirs ~/sigma-rules,/etc/digger/sigma

Or programmatically:

from digger.exchange.sigma import SigmaDetector
from pathlib import Path

n = SigmaDetector(dirs=[Path("~/sigma-rules").expanduser()]).run(store)
print(f"{n} sigma findings")

Example rule

title: Encoded PowerShell stager
id: 11111111-2222-3333-4444-555555555555
description: powershell.exe with the -EncodedCommand argument and a long base64 blob
level: high
tags:
  - attack.t1059.001
  - attack.execution
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-EncodedCommand'
      - '-enc'
  condition: selection

When this rule fires, digger emits a Finding tagged with severity high, MITRE technique T1059.001 (extracted from the attack.t1059.001 tag), and references to the matched process artifact.

Where to find rules

SigmaHQ/sigma — the community master rule set
Neo23x0/sigma — Florian Roth's curated set
Anything you write internally

Drop them under digger/rules/sigma/ for them to be picked up without --dirs. Subdirectories are supported (the loader uses rglob).