> For the complete documentation index, see [llms.txt](https://docs.inopli.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.inopli.com/drp/advanced-features/automatic-search-rules/sigma.md).

# SIGMA

<mark style="color:green;">**Sigma Detection Rules**</mark> bring a flexible and standardized way to define detection logic using YAML-based structures. Inspired by the open Sigma format but adapted to Inopli’s internal data model, these rules allow analysts to describe correlations and matching conditions in a clear, human-readable form that abstracts away backend query language dependencies.

This rule type is especially useful for analysts familiar with SOC practices or SIEM rule writing, enabling fast onboarding and reusable logic across clients and use cases.

***

### Rule Structure

Each Sigma rule is written in **YAML format** and includes:

* <mark style="color:green;">**Metadata**</mark>\
  Descriptive fields like `title`, `id`, `description`, `status`, `level`, `tags`, and `author`
* <mark style="color:green;">**Detection Logic**</mark>\
  Conditions are expressed using field-value maps, lists, and logical operators. Inopli supports `selection`, `filter`, `condition` blocks.
* <mark style="color:green;">**Trigger Definition**</mark>\
  Conditions evaluate the presence of fields or values in the DRP dataset. When a rule is matched, it is escalated following the defined severity level.

Example:

```yaml
yamlCopiarEditartitle: Suspicious domain with sensitive keyword
id: 8c7a-fake-1234-5678
status: stable
description: Detects domains containing sensitive internal keywords
level: medium
author: drp.team@inopli.com

detection:
  selection:
    type: domain
    value|contains: "internal"
  condition: selection
```

***

### Detection Model

Sigma rules are translated internally into structured queries compatible with Inopli’s data engine. They can be applied over:

* IOCs (domain, IP, hash, email)
* Content fields (value, description, source, category)
* Context metadata (tenant, risk level, enrichment tags)

All supported operators include:

* Exact match
* `contains`, `startswith`, `endswith`
* Lists (`field: ["a", "b"]`)
* Field modifiers (`value|contains`)

***

### Use Cases

* Match known IOCs from shared threat intelligence
* Detect exposure of internal identifiers or keywords
* Alert on findings linked to specific attack techniques
* Build reusable rules for sector-specific monitoring

***

### Incident Triggering

Once matched, Sigma rules follow the same workflow as other rule types: they enrich the finding and, if not filtered as false positive, **trigger an&#x20;**<mark style="color:green;">**incident in the Response module**</mark>.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inopli.com/drp/advanced-features/automatic-search-rules/sigma.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.