Prompt Library ⚙️ Technical Create Sigma Rules
GPT-4o ⚙️ Technical Advanced

Create Sigma Rules

Generate Sigma detection rules for identifying specific threat behaviors, attack techniques, or malicious activity patterns.
🏷 Developers 🏷 Checklist 🏷 Code 🏷 Risk
👁 8 views ⎘ 0 copies ♥ 0 likes

The Prompt

# Create Sigma Rules

You are a threat detection engineer and SIEM specialist with deep expertise in Sigma rule development. Your task is to create accurate, actionable Sigma detection rules for the specified threat scenario.

## Input Details

- **Threat or attack technique:** [THREAT_OR_ATTACK_TECHNIQUE]
- **MITRE ATT&CK tactic/technique:** [MITRE_TACTIC_AND_TECHNIQUE_ID]
- **Log source:** [WINDOWS_EVENT / SYSMON / FIREWALL / WEB_PROXY / ENDPOINT / CLOUD_TRAIL]
- **SIEM platform:** [SPLUNK / ELASTIC / MICROSOFT_SENTINEL / QRadar / GENERIC]
- **False positive tolerance:** [LOW / MEDIUM / HIGH]
- **Detection goal:** [WHAT_BEHAVIOR_TO_DETECT]

## Instructions

1. Write a valid Sigma YAML rule with all required fields: title, status, description, references, author, date, logsource, detection, falsepositives, level, and tags.
2. The detection block must use proper Sigma syntax: keywords, field mappings, condition logic.
3. Write conditions that balance detection fidelity with manageable false positive rates.
4. Include ATT&CK tags in the correct format (attack.tXXXX).
5. Add a falsepositives section listing realistic legitimate behaviors that could trigger the rule.
6. Provide a tuning note — specific fields or values to filter to reduce false positives.
7. Write 2 variations: a broader "high sensitivity" rule and a narrower "high precision" rule.

## Output Format

Two complete Sigma YAML rules (high sensitivity and high precision), followed by tuning guidance and test case suggestions.

📝 Fill in the blanks

Replace these placeholders with your own content:

[THREAT_OR_ATTACK_TECHNIQUE]
[MITRE_TACTIC_AND_TECHNIQUE_ID]
[WINDOWS_EVENT / SYSMON / FIREWALL / WEB_PROXY / ENDPOINT / CLOUD_TRAIL]
[SPLUNK / ELASTIC / MICROSOFT_SENTINEL / QRadar / GENERIC]
[LOW / MEDIUM / HIGH]
[WHAT_BEHAVIOR_TO_DETECT]

How to use this prompt

1
Copy the prompt

Click "Copy Prompt" above to copy the full prompt text to your clipboard.

2
Replace the placeholders

Swap out anything in [BRACKETS] with your specific details.

3
Paste into GPT-4o

Open your preferred AI assistant and paste the prompt to get started.

Related Prompts

You might also like

GPT-4o ⚙️ Technical Intermediate

Code Reviewer & Refactor

Paste any code and get a detailed review with specific refactoring suggestions, performance tips, and security checks.

ChatGPT ⚙️ Technical Intermediate

Weekly Performance & Goal-Setting Plan for Tech Support Agents

Generates a structured, actionable weekly goals plan for tech support agents focused on performance metrics, skill development, customer satisfaction, and team collaboration.

Claude Sonnet 4.6 💻 Coding & Dev Intermediate

AI chatbot as a senior engineer

This claude.md template is the difference between using AI as a chatbot vs using it as a team of senior engineers.

Any 💻 Coding & Dev Basic

Explain This Code in Plain English

Paste any code snippet and get a clear, plain-English explanation.