Sigma Rules to Production: Building a CI/CD Pipeline for Detection-as-Code

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Detection-as-code is not a buzzword. It is the practical answer to a problem every detection engineering team eventually hits: rules get written in one SIEM, never ported to the other, tested inconsistently, and rolled back manually when they cause alert storms. The Sigma rule format solves the portability problem by providing a vendor-neutral YAML schema. The CI/CD pipeline solves the operational problem by enforcing review, automated testing, and staged deployment before any rule touches production.
This guide is written for teams that already have some Sigma rules in a repository and want to formalize the deployment path. You do not need a mature DevOps practice. You need GitHub Actions (or any equivalent), Python for pySigma, and API access to at least one production SIEM. The patterns here apply to Sentinel and Splunk specifically, but the pipeline structure translates directly to Elastic, QRadar, or any backend that pySigma supports.
By the end you will have a working pipeline that converts rules on pull request, runs them against sample log data, deploys to a staging workspace, waits for human sign-off, deploys to production, and automatically opens a rollback PR if post-deployment false positive rates spike above threshold.
Repository Structure and Git Branching Strategy
Start with a clear directory layout. Keep Sigma YAML files under a rules/ directory, organized by MITRE tactic: rules/initial-access/, rules/persistence/, rules/lateral-movement/, and so on. This mirrors the ATT&CK taxonomy and makes coverage gap analysis trivial later.
Branch strategy mirrors a standard GitFlow. The main branch represents what is currently deployed to production. A staging branch represents what is deployed to your staging SIEM workspace. Feature branches follow the pattern feat/rule-name-technique-id. All new rules start on a feature branch and open a pull request to staging first.
Never merge directly to main. The pipeline enforces this via branch protection rules requiring at minimum two reviewers and all status checks passing. Require that at least one reviewer holds the detection-engineer role in your GitHub team to prevent analysts from bypassing peer review on high-noise rules.
pySigma Conversion Commands and Backend Configuration
Install the core toolchain with: pip install sigma-cli pySigma-backend-splunk pySigma-backend-microsoft365defender. For Sentinel you will use the microsoft365defender backend, which targets the Kusto Query Language used by Sentinel Analytics rules.
Basic conversion for a single rule: sigma convert -t splunk rules/lateral-movement/pass-the-hash-net.yml. For Sentinel KQL: sigma convert -t microsoft365defender -p sysmon rules/lateral-movement/pass-the-hash-net.yml.
In the pipeline you will batch-convert all rules in a changed directory. Use git diff --name-only origin/main HEAD -- rules/ to get the list of modified YAML files, then pass that list to sigma convert. This avoids reconverting the entire ruleset on every commit.
Backend pipelines matter. The -p sysmon flag applies the Sysmon field-mapping pipeline, which translates Sigma's generic field names (CommandLine, Image, ParentImage) to the names your data source actually uses. If you ingest Windows events via a different source, create a custom pipeline YAML under pipelines/ and reference it with -p pipelines/your-pipeline.yml. Commit pipeline configs to the repo alongside rules so field mappings are versioned.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Automated Testing with sigma-cli and Sample Log Data
A rule that converts successfully is not a rule that works correctly. You need to validate that the converted query actually matches known-malicious log samples and does not match known-benign ones.
Create a tests/ directory with subdirectories matching your rules/ layout. Each rule gets a YAML test file: tests/lateral-movement/pass-the-hash-net.yml. The test file specifies true-positive events (log lines that should trigger the rule) and true-negative events (log lines that should not).
For Splunk, spin up a free Splunk developer instance or use Splunk Attack Range for automated testing. The sigma-cli test command runs these validations: sigma test --backend splunk --pipeline sysmon rules/lateral-movement/pass-the-hash-net.yml.
For Sentinel, use the Kusto Explorer desktop client or az monitor log-analytics query CLI to run KQL against a test workspace populated with sample data. The EVTX Samples repository on GitHub provides thousands of Windows event log files organized by attack technique. Import the relevant EVTX files into your test workspace using the Sentinel Data Connector or a custom ingestion script.
Store test results as pipeline artifacts. If the true-positive rate for any rule drops below 100% or the false-positive rate exceeds a configurable threshold, fail the pipeline and block the merge.
GitHub Actions Workflow for the Full Pipeline
The workflow file lives at .github/workflows/detection-pipeline.yml. It triggers on pull_request to staging and push to staging and main.
The PR validation job runs on pull_request. Steps: checkout code, set up Python, install dependencies, identify changed rule files with git diff, run sigma convert on each changed file, run sigma test against sample data, upload conversion artifacts.
The staging deployment job runs on push to staging after PR merge. Steps: convert all rules in the repository, authenticate to your staging SIEM workspace using repository secrets (SENTINEL_STAGING_WORKSPACE_ID, SENTINEL_STAGING_CLIENT_SECRET, SPLUNK_STAGING_HEC_TOKEN), deploy rules via API, tag the commit with the deployment timestamp.
The production promotion job runs on push to main and requires a manual approval step via GitHub Environments. Configure the production environment to require one designated approver. The job deploys to production and writes a deployment manifest JSON file recording which rule versions are live. That manifest is the foundation for your rollback procedure.
Secret management: store all API keys in GitHub Actions Encrypted Secrets. Never hardcode workspace IDs or tokens in workflow files. Use environment-scoped secrets so staging keys cannot be used by production jobs.
Staging Deployment to Sentinel and Splunk
For Sentinel, use the Analytics Rules REST API. Endpoint: PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}. Authenticate with a service principal that has Microsoft Sentinel Contributor role on the staging workspace only.
Construct the request body by reading the converted KQL and wrapping it in the ScheduledAlertRule schema. Set severity, query frequency, query period, trigger threshold, and suppression settings. Store these operational parameters as YAML front matter in each Sigma rule file so they travel with the rule and do not require manual entry in the API call script.
For Splunk, use the savedsearches endpoint: POST https://splunk-staging:8089/servicesNS/nobody/search/saved/searches. Set alert_type, cron_schedule, dispatch.earliest_time, and actions.email or actions.notable as appropriate for your environment. Authenticate with a token stored in GitHub Secrets.
After deployment, wait 30 minutes and then query each SIEM for rule execution errors. For Sentinel, check the SecurityAlert table for alerts with ProviderName == "ASI Scheduled Alerts". For Splunk, check the _internal index for search scheduler errors. Fail the deployment job if any rule reports an execution error.
Rollback Procedure and False Positive Monitoring
The deployment manifest written during each production deployment contains the previous rule version hash. The rollback script reads the manifest, fetches the previous rule version from git history, converts it, and redeploys it to production via the same API paths.
Automate rollback triggering by adding a post-deployment monitoring job that runs 2 hours after each production push. The job queries Sentinel using KQL and Splunk using SPL for alert volume per rule compared to the 7-day baseline.
Sentinel KQL for false positive spike detection: SecurityAlert | where TimeGenerated > ago(2h) | where ProviderName == "ASI Scheduled Alerts" | summarize AlertCount = count() by AlertName | join kind=inner (SecurityAlert | where TimeGenerated between (ago(9d) .. ago(2d)) | summarize BaselineAvg = avg(count()) by bin(TimeGenerated, 1d), AlertName | summarize BaselineAvg = avg(BaselineAvg) by AlertName) on AlertName | where AlertCount > BaselineAvg * 3.
Splunk SPL equivalent: index=notable earliest=-2h | stats count as AlertCount by search_name | join search_name [search index=notable earliest=-9d latest=-2d | timechart span=1d count by search_name | stats avg(*) as BaselineAvg by search_name] | where AlertCount > BaselineAvg * 3.
If the job finds any rule exceeding three times its baseline alert volume, it opens a GitHub Pull Request from a rollback/ branch targeting main with the previous version of that rule and assigns it to the on-call detection engineer. The engineer reviews and merges to trigger the rollback deployment.
The bottom line
Detection-as-code only delivers value when the pipeline is fast enough that engineers actually use it instead of going around it. Keep total pipeline runtime under 10 minutes for a standard PR by caching Python dependencies and only converting changed rules. A pipeline that takes 45 minutes trains your team to deploy rules manually.
Frequently asked questions
Which pySigma backend should I use for Microsoft Sentinel?
Use the microsoft365defender backend (pySigma-backend-microsoft365defender). It produces KQL compatible with Sentinel Analytics Rules. Do not use the older sigmac AzureMonitor backend, as it generates outdated query syntax and is no longer maintained.
How do I handle Sigma rules that convert differently across SIEM backends?
Store the operational parameters (severity, frequency, threshold) as YAML front matter in each rule file. The conversion script reads these fields and constructs the correct API payload for each backend independently. This way one Sigma YAML file drives deployments to both Sentinel and Splunk without manual per-platform editing.
What is the minimum sample log data needed to run automated true-positive tests?
You need at least one log sample per detection condition in the rule. For rules with multiple conditions joined by OR, test each branch separately. The EVTX Samples GitHub repository (sbousseaden/EVTX-ATTACK-SAMPLES) organized by MITRE technique is a good starting point for Windows event log coverage.
How should I handle rules that are intentionally noisy in staging but tuned in production?
Add a tuning/ subdirectory per rule. Store baseline filters as separate condition files. The deployment script merges the base rule with the environment-specific filter file before conversion. Staging deploys the unfiltered version to expose noise; production deploys the filtered version. Both versions are versioned in git.
How do I prevent engineers from deploying directly to the production SIEM and bypassing the pipeline?
Restrict production SIEM API credentials to the GitHub Actions service principal only. Use a dedicated service account for pipeline deployments and rotate its credentials into GitHub Actions Encrypted Secrets quarterly. Revoke human accounts from the production workspace API role. All human rule changes must go through the PR pipeline.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
