sigcheck
The sigcheck command evaluates events against loaded Sigma signatures and appends signature metadata to matching events. It does not filter events by itself; use match, filter, or fields after sigcheck to keep or display only signature matches.
Syntax
Run all loaded signature sets:
| sigcheck
Run only specific signature sets:
| sigcheck sets("set-name", "another-set")
The sets(...) argument accepts one or more signature set names. A set name is the directory name under the signatures directory.
See Signatures for how signature sets are loaded.
Output Fields
When a signature matches an event, sigcheck appends the following fields:
| Field | Description |
|---|---|
sig_title | Sigma rule title |
sig_id | Sigma rule ID, when present |
sig_level | Sigma rule level, when present |
sig_tag | Sigma rule tags |
sig_selection | Matched Sigma selections |
If an event already contains one of these fields, new values are appended to the existing field values.
Log Source Matching
sigcheck uses the event fields category, product, and service as the Sigma log source. These fields are read from the event before evaluation and are used to skip rules whose logsource does not match.
For example, this search sets some log source fields before running sigcheck:
select web
| eval
category="webserver"
product="nginx"
| sigcheck
| match sig_title=*
| fields timestamp HOSTNAME sig_title sig_level sig_tag
Examples
Evaluate all loaded signatures against windows events
select winevents
| sigcheck
| match sig_title=*
| fields timestamp HOSTNAME sig_title sig_level sig_tag
Evaluate only the “emerging” collection of signatures:
select winevents
| sigcheck sets("emerging")
| match sig_title=*
| fields timestamp HOSTNAME sig_title sig_level sig_tag
Evaluate the “emerging” and “insider” collections of signatures:
select winevents
| sigcheck sets("emerging", "insider")
| match sig_title=*
| fields timestamp HOSTNAME sig_title sig_level sig_tag