Panguard Guard uses Sigma rules as one of its primary detection engines. Sigma is an open, generic signature format for SIEM systems that allows you to describe log events in a structured way.
What Are Sigma Rules? Sigma rules are YAML-based detection signatures that describe suspicious log patterns. They are vendor-agnostic — a single rule can be applied across different log sources and platforms. Panguard Guard’s agent pipeline evaluates Sigma rules against real-time log streams to detect threats.
Bundled Rules Panguard Guard ships with 3,000+ Sigma rules from the SigmaHQ community repository, covering:
Authentication attacks (brute force, credential stuffing)
Privilege escalation techniques
Lateral movement patterns
Malware execution indicators
Persistence mechanisms
Data exfiltration behaviors
Living-off-the-land techniques
Rules are automatically updated from Threat Cloud when autoUpdate is enabled in the Guard configuration.
Sigma rules follow a standardized YAML structure:
title : SSH Brute Force Detection id : sigma-bf-ssh-001 status : stable level : high description : Detects multiple failed SSH login attempts from a single source author : Panguard AI date : 2026/03/01 tags : - attack.credential_access - attack.t1110 logsource : category : authentication product : linux detection : selection : EventType : login_failed Service : sshd condition : selection | count(SourceIp) by SourceIp > 10 timeframe : 5m falsepositives : - Legitimate users with forgotten passwords - Automated deployment tools with misconfigured credentials fields : - SourceIp - TargetUser - Service
Rule Fields Field Required Description titleYes Human-readable rule name idYes Unique identifier statusYes experimental, test, or stablelevelYes Severity: informational, low, medium, high, critical descriptionYes What the rule detects logsourceYes Log source specification (category, product, service) detectionYes Detection logic with selections and conditions falsepositivesNo Known false positive scenarios tagsNo MITRE ATT&CK tags and custom tags fieldsNo Fields to include in alert output
Custom Rules Add custom Sigma rules by placing .yml files in the custom rules directory:
Where {dataDir} defaults to ~/.panguard-guard. Custom rules are loaded alongside bundled rules and evaluated in the same pipeline.
Create custom rules directory
Add a custom rule
mkdir -p ~/.panguard-guard/rules
Custom rules take effect immediately on the next detection cycle (typically within 60 seconds). No restart is required.
Supported Features Panguard’s Sigma engine supports the following detection features:
Boolean Logic detection : selection1 : EventType : login_failed selection2 : EventType : login_success condition : selection1 and not selection2
Aggregation detection : selection : EventType : login_failed condition : selection | count() by SourceIp > 10 timeframe : 5m
Supported aggregation functions: count, min, max, avg, sum.
Modifiers Modifier Description Example containsSubstring match CommandLine|contains: 'wget'startswithPrefix match FilePath|startswith: '/tmp'endswithSuffix match FileName|endswith: '.sh'reRegular expression CommandLine|re: '(curl|wget).*|.*sh'allAll values must match Tags|all: ['malware', 'dropper']base64Base64-decoded match CommandLine|base64contains: 'password'
Wildcards detection : selection : CommandLine : '*wget*evil*' FilePath : '/tmp/*.sh'
Use * for any number of characters and ? for a single character.
With 3,000+ rules, Panguard uses a pre-compiled rule index for fast evaluation. Custom rules are indexed upon load. Keep individual rule conditions focused and specific to maintain detection speed.
Metric Typical Value Rule loading time < 2 seconds for 3,000 rules Per-event evaluation < 5 ms Memory overhead ~50 MB for full rule set Custom rule limit No hard limit (recommend < 500)
Disabling Rules To disable a specific bundled rule without deleting it, add its ID to the exclusion list:
panguard config set rules.excludeIds '["sigma-fp-001", "sigma-noisy-002"]'
Or in config.json:
{ "rules" : { "excludeIds" : [ "sigma-fp-001" , "sigma-noisy-002" ] } }
