Motivated by the sudden growth of interest in Security Information and Event Management (SIEM)

mechanisms worldwide, companies that develop cybersecurity products started building their own SIEM

solutions as soon as possible. Due to market share competition, each of these companies developed

their own proprietary security rules formats and built their analysis engines to work best with these

specific formats.

Soon enough, the lack of interoperability between different products that lived in the SIEM spectrum

became a problem. This gave birth to the creation of Sigma, a generic and open signature format that

provides the creation of security-oriented rules that describe an anomaly with a simple and

straightforward manner. The format of Sigma language is very flexible and versatile. It supports almost

all the existing log formats. It is created considering the fact that every organization may have different

and unique needs or requirements from their cybersecurity product solution.

By using the Sigma rules language, a security analyst can create rules that can be utilised by any SIEM

product and share them with ease. Moreover, Sigma created new opportunities regarding the

development of security in Computer Science. New products can be created that specifically focus on

Sigma language and the analysis of organisations based on their human treats and standard workflow.

In conclusion, Sigma rules language provides ease of knowledge sharing and allows for different SIEM

platforms to collaborate. This is very important for the continuation of their development and the

improvement of the SIEM products in general. A common result of the existence of an open standard

format like Sigma is also the flourishing of the market competition around it, thus making Sigma

products cheaper and/or of improved quality. Sigma is here to stay, and is located in the centre of

attention in the world of SIEM development.

Kyriakos Stavridis

InnoSec, Greece