Details
Content
Dependencies
Version History

This pack contains all needed objects to import and manage Sigma rules within Cortex TIM

Sigma

Overview

The Sigma Detection Rules content pack provides an integration with Sigma, a generic and open signature format for SIEM systems. This content pack enables you to create, manage, and utilize Sigma detection rules within Cortex TIM. Sigma rules allow you to describe relevant log events in a straightforward and universal format, which can be easily converted to SIEM-specific queries.

What does this pack do?

This new pack enables you to import Sigma rules either via a string or by a file into the Cortex TIM. Once in the system you can use the built-in scripts to convert the newly added rules into the format of your choice and use it to query 3rd party security products.

Content delivered with the content pack

An additional Cortex indicator type called "Sigma Rule".
All the relevant fields needed to store the data of the "Sigma Rule" indicator.
A new layout for the newly added indicator type.
Utility scripts needed to import Sigma rules and export them in the user chosen format.

Additional Information

For more information about Sigma and its uses, visit Sigma HQ.

Sigma

Overview

What does this pack do?

Content delivered with the content pack

An additional Cortex indicator type called "Sigma Rule".
All the relevant fields needed to store the data of the "Sigma Rule" indicator.
A new layout for the newly added indicator type.
Utility scripts needed to import Sigma rules and export them in the user chosen format.

Additional Information

For more information about Sigma and its uses, visit Sigma HQ.

Automations

Name	Description
CreateSigmaRuleIndicator
ImportSigmaRulesFromZIP	Deprecated. Use CreateSigmaRuleIndicator instead.
sigma-button-convert
SigmaConverttoQuery	Allows converting a Sigma Rule indicator into a SIEM query.

Indicator Fields

Name	Description
Sigma Rule ID
Sigma Rule Raw
Sigma Rule Status
Sigma Detection
Sigma False Positives
Sigma Condition
Sigma Rule License
Sigma Converted Query
Sigma Rule Level

Layouts

Name	Description
Sigma Rule Layout	Out of the box layout for the Sigma Rule indicator.

Playbooks

Name	Description
Query using Sigma rules	An example playbook on how to query Sigma rules from within TIM and query a SIEM/EDR.

Indicator Types

Name	Description
Sigma Rule

Automations

Name	Description
SigmaConverttoQuery	Allows converting a Sigma Rule indicator into a SIEM query.
CreateSigmaRuleIndicator
ImportSigmaRulesFromZIP	Deprecated. Use CreateSigmaRuleIndicator instead.
sigma-button-convert

Indicator Fields

Name	Description
Sigma Detection
Sigma Condition
Sigma Rule Level
Sigma Rule License
Sigma Rule ID
Sigma Rule Raw
Sigma Rule Status
Sigma False Positives
Sigma Converted Query

Layouts

Name	Description
Sigma Rule Layout	Out of the box layout for the Sigma Rule indicator.

Playbooks

Name	Description
Query using Sigma rules	An example playbook on how to query Sigma rules from within TIM and query a SIEM/EDR.

Indicator Types

Name	Description
Sigma Rule

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (6)

Pack Name	Pack By
Carbon Black Endpoint Standard	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Elasticsearch	By: Cortex XSOAR
IBM QRadar	By: Cortex XSOAR
SentinelOne	By: SentinelOne
Splunk	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.1.2 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.1.1 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.1.0 - 4995327 (September 21, 2025)

Scripts

sigma-button-convert

Replaced the QRadar AQL backend with a new library maintained by the IBM QRadar team.
Updated the Cortex XDR backend to its latest version.
Updated the Docker image to: demisto/pysigma:1.0.0.4905038.

CreateSigmaRuleIndicator

Updated the Docker image to: demisto/pysigma:1.0.0.4905038.

SigmaConverttoQuery

Replaced the QRadar AQL backend with a new library maintained by the IBM QRadar team.
Updated the Cortex XDR backend to its latest version.
Updated the Docker image to: demisto/pysigma:1.0.0.4905038.

Related pull requests:
- 41269

Download

1.0.4 - R3980324 (June 26, 2025)

Scripts

CreateSigmaRuleIndicator

Updated the Docker image to: demisto/pysigma:1.0.0.117232.

ImportSigmaRulesFromZIP

Deprecated. Use CreateSigmaRuleIndicator instead.

Related pull requests:
- 38952

Download

1.0.3 - 3042633 (April 2, 2025)

Scripts

SigmaConverttoQuery

Metadata and documentation improvements.

CreateSigmaRuleIndicator

Metadata and documentation improvements.

ImportSigmaRulesFromZIP

Metadata and documentation improvements.

sigma-button-convert

Metadata and documentation improvements.

Related pull requests:
- 39096

Download

1.0.2 - R2989425 (March 26, 2025)

Scripts

ImportSigmaRulesFromZIP

Fixed an issue where the script did not execute due to incorrect script timeout.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38714

Download

1.1.2 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

1.1.1 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.1.0 - 4995327 (September 21, 2025)

Scripts

sigma-button-convert

Replaced the QRadar AQL backend with a new library maintained by the IBM QRadar team.
Updated the Cortex XDR backend to its latest version.
Updated the Docker image to: demisto/pysigma:1.0.0.4905038.

CreateSigmaRuleIndicator

Updated the Docker image to: demisto/pysigma:1.0.0.4905038.

SigmaConverttoQuery

Replaced the QRadar AQL backend with a new library maintained by the IBM QRadar team.
Updated the Cortex XDR backend to its latest version.
Updated the Docker image to: demisto/pysigma:1.0.0.4905038.

Related pull requests:
- 41269

Download

1.0.4 - R3980324 (June 26, 2025)

Scripts

CreateSigmaRuleIndicator

Updated the Docker image to: demisto/pysigma:1.0.0.117232.

ImportSigmaRulesFromZIP

Deprecated. Use CreateSigmaRuleIndicator instead.

Related pull requests:
- 38952

Download

1.0.3 - 3042633 (April 2, 2025)

Scripts

SigmaConverttoQuery

Metadata and documentation improvements.

CreateSigmaRuleIndicator

Metadata and documentation improvements.

ImportSigmaRulesFromZIP

Metadata and documentation improvements.

sigma-button-convert

Metadata and documentation improvements.

Related pull requests:
- 39096

Download

1.0.2 - R2989425 (March 26, 2025)

Scripts

ImportSigmaRulesFromZIP

Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38714

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	September 29, 2024
Last Release	March 22, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

VMware Carbon Black Endpoint Standard (Deprecated)

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.