An Overlooked but Intriguing Sigma Use Case

Florian Roth
2 min readDec 1, 2019


When we first talked about Sigma in 2016, I was fascinated by a use case that would solve a major problem when SIEM analysts integrate logs of unknown systems and applications.

I am talking about the “bundle with software” use case in which a developer provides Sigma rules with his/her product in order to facilitate the SIEM integration.

Why is this use case so intriguing to me?
Because the developer knows best, which log lines indicate highly critical situations.

In practice SIEM analysts that integrate an unknown application often

  1. Search through the log data of the last X months and try to identify the most relevant log lines by looking for “failed” or “error” keywords
  2. Approach that issue in time-consuming workshops in which the developers (or sometimes only the product owners) answer questions to the analysts

I always felt the urge to check the source code for error messages that would never appear under normal circumstances. Particularly because I’d like to detect the “unexpected bytes remain after decoding”, “invalid certificate signing key” or “unknown or unsupported key type” messages that only appear in cases of severe malfunctioning or exploitation.

How could you possibly write detection rules for events that never appear in good times?

On the contrary, a developer could provide Sigma rules for the most critical states. He can answer the questions:

  • What are noticeable events?
  • Which events should never appear and almost certainly indicate manipulations?
  • Which errors or messages are highly unlikely or very critical?
  • Which reasons for a failed logon are possible? Is there anything else than wrong password? E.g. unknown user, username contains unallowed characters, outside of logon hours, denied source address, denied logon type etc.

Who else can answer these questions?

If the software is an open sourced, you — as an analyst — could search the code for error messages that appear to be critical or uncommon. We did that for OpenSSH as an example.

I understand that developers most likely don’t know Sigma or have any incentive to get familiar with it. But maybe there are organisations that can see the added value of that use case and someday request the creation of Sigma rules just as they request a high test coverage today.