SigmaForge: Retrieval-Enhanced Sigma Rule Generation with DAG-Based Quality Evaluation
摘要
Developing cybersecurity detection rules in a format such as Sigma is a complex task since it requires a high level of understanding of both the threat landscape and the structure of the log sources being used which can lead to time-consuming and error-prone processes. To solve this issue, we created SigmaForge, a multi-agent framework that uses hybrid retrieval along with large language models to generate Sigma detection rules automatically. A dual validation loop is implemented to ensure quality: PySigma performs a syntax check of the code while a large language model performs semantic verification of the code with automatic retry on failure. To assess generated rules, we introduce a Directed Acyclic Graph (DAG)-based framework using the LLM-as-judge methodology to evaluate the functional equivalency of generated detection rules based upon four different dimensions: detection logic, log source, conditions, and MITRE mapping. A comparison of inter-rater reliability (Cohen’s \(\kappa =0.66\) ) indicates that our evaluation method is consistent. Compared to direct LLM prompting, SigmaForge achieves 100% syntactic correctness, improves log source matching by 9.7% points, and increases overall quality by 6.4% points. Notably, Qwen3-Coder-30B running on-premise achieves comparable quality to cloud models, enabling deployment in data-sovereign environments.